[PLUG] ftp/firewall security

MaD dUCK on Thu, 4 Jan 2001 15:07:59 -0500

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] ftp/firewall security

From: MaD dUCK <madduck@madduck.net>

To: suse-security@suse.com

Subject: [PLUG] ftp/firewall security

Date: Thu, 4 Jan 2001 20:15:06 +0100

Cc: plug@lists.phillylinux.org, slug@sccs.swarthmore.edu

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mutt/1.2.2i

(cc'ing this mail to a couple of LUG mailing lists...) hey all, spawned from a recent discussion on this mailing list (suse-security), i would like to ask the following question: in a NAT'd LAN, how can one enable the use of genuine ftp clients (ncftp, wsftp) as well as netscape/ie that pretend to speak ftp, without allowing all connections to ports 1024+ on the firewall/masquerading host? 99% of all ftp traffic nowadays is passive, so the data transfer happens from port 21 of the server to port x {x | x >= 1024} of the client. our firewall is implemented with ipchains (subject to change sometime), so it's stateless. blocking all ports above 1024 disables not only ftp but a lot of services such as ssh that make use of the ports 1024+ for the client connection. philip snizek suggested closing ports 5000 and up, leaving only some 4000 ports for this usage, but that solution is not what i am looking for because it still leaves 4000 ports open for an attack, and what is more important in this situation, it is very possible that some client program tries to establish a connection to a server with the backward connect (server -> client) being something like x -> 5021. in that case then, the connect will mysteriously fail (i DENY packets rather than to REJECT them). so while it is perfectly understandable to me how and why and what ports under 1024 i have to block and open to secure the machine, the ports above 1024 are a mystery. a lot of networks i have worked in/with/for had firewall policies that allowed anything above 1024, but as philip pointed out, this is asking for trojans. so i am wondering if, besides the installation of a statefull firewall, there is a way to secure the machine without affecting the liberty of the users in the LAN. and do you guys know of free, open-source statefull firewalls for linux? thanks, martin [greetings from the heart of the sun]# echo madduck@!#:1:s@\@@@.net -- echo '[dO%O+38%O+PO/d0<0]Fi22os0CC4BA64E418CE7l0xAP'|dc ______________________________________________________________________ Philadelphia Linux Users Group - http://www.phillylinux.org Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce General Discussion - http://lists.phillylinux.org/mail/listinfo/plug

Follow-Ups:

[PLUG] Re: ftp/firewall security
From: gabriel rosenkoetter <gr@eclipsed.net>

Prev by Date: Re: [PLUG] Kernel Panic on Boot when adding EIDE HDD

Next by Date: Re: [PLUG] Kernel Panic on Boot when adding EIDE HDD

Previous by thread: Re: [PLUG] Kernel Panic on Boot when adding EIDE HDD

Next by thread: [PLUG] Re: ftp/firewall security

Index(es):

Date

Thread