|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
[PLUG] Fwd: AW: [suse-security] ftp/firewall security
|
----- Forwarded message from Philipp Snizek <mailinglists@belfin.ch> -----
Hi Martin,
Nice, that you're back again. Happy New Year to all list members.
> philip snizek suggested closing ports 5000 and up, leaving only some
> 4000 ports for this usage, but that solution is not what i am looking
> for because it still leaves 4000 ports open for an attack, and what is
> more important in this situation, it is very possible that some client
> program tries to establish a connection to a server with the backward
> connect (server -> client) being something like x -> 5021. in that
> case then, the connect will mysteriously fail (i DENY packets rather
> than to REJECT them).
# POLICIES
ipchains -P forward DENY
# PROXY RULE WWW, FTP, SSL
ipchains -A input -p tcp -s 10.0.0.0/24 1024:5000 -d 10.0.0.191/32 8008 -i
eth1 -j ACCEPT
ipchains -A input -p tcp -s ! 10.0.0.0/24 443 -d 212.232.168.183/32
1024:5000 -i eth0 -j ACCEPT
ipchains -A input -p tcp -s ! 10.0.0.0/24 80 -d 212.232.168.183/32
1024:5000 -i eth0 -j ACCEPT
ipchains -A input -p tcp -s 212.232.168.180/32 1024: -d 212.232.168.183/32
113 -i eth0 -j ACCEPT # Don't worry guys, there is no auth server running on
212.232.168.183, it's there because of sendmail. I still didn't find a
suitable solution to make it faster although I'm sure there is one.
ipchains -A input -p tcp -s ! 10.0.0.0/24 20:21 -d 212.232.168.183/32
1024:5000 -i eth0 -j ACCEPT
ipchains -A input -p tcp -s ! 10.0.0.0/24 1024: -d 212.232.168.183/32
1024:5000 -i eth0 -j ACCEPT
ipchains -A output -p tcp -s 10.0.0.191/32 8008 -d 10.0.0.0/24 1024:5000 -i
eth1 -j ACCEPT
# DENIALs
ipchains -A input -i eth1 -j DENY -l
ipchains -A output -i eth1 -j DENY -l
ipchains -A input -i eth0 -j DENY -l
You all may call me nuts that I post some of my chains of my inner sanctum
to the list, but here again how I solved ftp-pasv access. Please don't
forget that I run squid in pasv mode, so I can completely deny forward rule
for www, ssl and pasv-ftp.
Important for your questions are these chains here which are found in the
#PROXY RULE WWW,FTP,SSL section. These chains define input from internet to
my proxy.
ipchains -A input -p tcp -s ! 10.0.0.0/24 20:21 -d 212.232.168.183/32
1024:5000 -i eth0 -j ACCEPT
This rule here allows standard ftp as defined in some rfc I don't remember
anymore accessing my proxy on ports 1024:5000. I would even reduce it more
if I knew how deep I could set it without endangering my ftp life.
ipchains -A input -p tcp -s ! 10.0.0.0/24 1024: -d 212.232.168.183/32
1024:5000 -i eth0 -j ACCEPT
This rule here defines all stuff that deals with ftp from 1024:. I have only
one machine making requests and this is the proxy itself. All other boxes
(the internal network are totally 3 PCs) access through port 8008 as you
might see above www, ftp and ssl. I can't tell you how this behaves if I had
100 PCs in the internal net. Whether Squid would use 1024: ports to satisfy
all requests at once. Maybe it's better we ask somebody who is more
experienced than me.
CUL
Philipp
----- End forwarded message -----
[greetings from the heart of the sun]# echo madduck@!#:1:s@\@@@.net
--
"it's not easy, being green."
-- kermit the frog
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|