|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
[PLUG] Re: ftp/firewall security
|
On Thu, Jan 04, 2001 at 08:15:06PM +0100, MaD dUCK wrote:
> in a NAT'd LAN, how can one enable the use of genuine ftp clients
> (ncftp, wsftp) as well as netscape/ie that pretend to speak ftp,
> without allowing all connections to ports 1024+ on the
> firewall/masquerading host?
You can't. Passive ftp and firewalls don't mix, and never have. Any
intelligent ftp client (ncftp included, last I checked) will attempt
to use passive, and fall back to active if it can't get through.
If your problem is ftp'ing from inside the firewall to the outside,
get a clue and use a stateful firewall that will allow passive
response to your requests, or find some way to use a proxy. (Or, ftp
from your firewall box on the un-firewalled external interface, then
scp the files around locally.)
> 99% of all ftp traffic nowadays is passive, so the data transfer
> happens from port 21 of the server to port x {x | x >= 1024} of the
> client.
Um... where'd you come up with that figure?
> for because it still leaves 4000 ports open for an attack,
Um... it means that some ports are open for a malicious force to use
should they install a trojan, but without having anything serving on
those ports, allowing traffic through to them isn't doing you any
harm. (Actually, doing so would save a bit of computation for your
FW.)
> more important in this situation, it is very possible that some client
> program tries to establish a connection to a server with the backward
> connect (server -> client) being something like x -> 5021.
... or 6xxx (X).
> (i DENY packets rather than to REJECT them).
Why? Short of a signature suggesting a DoS, it's common courtesy to
reject. Oh, wait, you lack state. Ne'mind. Get a real (stateful)
firewall, then. ;^>
> so while it is perfectly understandable to me how and why and what
> ports under 1024 i have to block and open to secure the machine, the
> ports above 1024 are a mystery. a lot of networks i have worked
> in/with/for had firewall policies that allowed anything above 1024,
> but as philip pointed out, this is asking for trojans.
No, no, no. This is painfully wrong-headed. You're only asking for
trojans if there's a way to break security on ports where you
actually run servers. If not, then having these ports open does you
no harm. If so, then a cracker will find a way to trojan you with
the ports you have open anyway. (Trust me, it's not hard to write a
daemon that behaves like an sshd except with certain input, when it
gives you a root shell instead, and substitute that for your
currently-running sshd.)
You're only hamstringing yourself by blocking these ports, you're
not making life any more difficult for someone truly interested in
being on the inside of your firewall.
> so i am
> wondering if, besides the installation of a statefull firewall, there
> is a way to secure the machine without affecting the liberty of the
> users in the LAN.
Every workable (note I don't say *good*) ipchains setup I've ever
seen just allowed ports over 1024. If you want to keep rpc or X
traffic inside, you're going to have to randomly decided to block
a swath of those, or trust that blocking the ports the server
daemons actually run on will be enough.
Or install yourself lots of proxies (no kind of fun).
> and do you guys know of free, open-source statefull firewalls for
> linux?
I'm pretty sure BSD ipf/ipnat will build on Linux (it does on
Solaris). Not that I've tried.
~ g r @ eclipsed.net
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|