gabriel rosenkoetter on Thu, 4 Jan 2001 15:27:43 -0500

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Re: ftp/firewall security

On Thu, Jan 04, 2001 at 08:15:06PM +0100, MaD dUCK wrote:
> in a NAT'd LAN, how can one enable the use of genuine ftp clients
> (ncftp, wsftp) as well as netscape/ie that pretend to speak ftp,
> without allowing all connections to ports 1024+ on the
> firewall/masquerading host?

You can't. Passive ftp and firewalls don't mix, and never have. Any
intelligent ftp client (ncftp included, last I checked) will attempt
to use passive, and fall back to active if it can't get through.

If your problem is ftp'ing from inside the firewall to the outside,
get a clue and use a stateful firewall that will allow passive
response to your requests, or find some way to use a proxy. (Or, ftp
from your firewall box on the un-firewalled external interface, then
scp the files around locally.)

> 99% of all ftp traffic nowadays is passive, so the data transfer
> happens from port 21 of the server to port x {x | x >= 1024} of the
> client.

Um... where'd you come up with that figure?

> for because it still leaves 4000 ports open for an attack,

Um... it means that some ports are open for a malicious force to use
should they install a trojan, but without having anything serving on
those ports, allowing traffic through to them isn't doing you any
harm. (Actually, doing so would save a bit of computation for your

> more important in this situation, it is very possible that some client
> program tries to establish a connection to a server with the backward
> connect (server -> client) being something like x -> 5021.

... or 6xxx (X).

> (i DENY packets rather than to REJECT them).

Why? Short of a signature suggesting a DoS, it's common courtesy to
reject. Oh, wait, you lack state. Ne'mind. Get a real (stateful)
firewall, then. ;^>

> so while it is perfectly understandable to me how and why and what
> ports under 1024 i have to block and open to secure the machine, the
> ports above 1024 are a mystery. a lot of networks i have worked
> in/with/for had firewall policies that allowed anything above 1024,
> but as philip pointed out, this is asking for trojans.

No, no, no. This is painfully wrong-headed. You're only asking for
trojans if there's a way to break security on ports where you
actually run servers. If not, then having these ports open does you
no harm. If so, then a cracker will find a way to trojan you with
the ports you have open anyway. (Trust me, it's not hard to write a
daemon that behaves like an sshd except with certain input, when it
gives you a root shell instead, and substitute that for your
currently-running sshd.)

You're only hamstringing yourself by blocking these ports, you're
not making life any more difficult for someone truly interested in
being on the inside of your firewall.

> so i am
> wondering if, besides the installation of a statefull firewall, there
> is a way to secure the machine without affecting the liberty of the
> users in the LAN.

Every workable (note I don't say *good*) ipchains setup I've ever
seen just allowed ports over 1024. If you want to keep rpc or X
traffic inside, you're going to have to randomly decided to block
a swath of those, or trust that blocking the ports the server
daemons actually run on will be enough.

Or install yourself lots of proxies (no kind of fun).

> and do you guys know of free, open-source statefull firewalls for
> linux?

I'm pretty sure BSD ipf/ipnat will build on Linux (it does on
Solaris). Not that I've tried.

       ~ g r @

Philadelphia Linux Users Group       -
General Discussion  -