'MaD dUCK' on Thu, 4 Jan 2001 18:47:38 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Fwd: AW: [suse-security] ftp/firewall security


----- Forwarded message from Philipp Snizek <mailinglists@belfin.ch> -----

Hi Martin,

Nice, that you're back again. Happy New Year to all list members.

> philip snizek suggested closing ports 5000 and up, leaving only some
> 4000 ports for this usage, but that solution is not what i am looking
> for because it still leaves 4000 ports open for an attack, and what is
> more important in this situation, it is very possible that some client
> program tries to establish a connection to a server with the backward
> connect (server -> client) being something like x -> 5021. in that
> case then, the connect will mysteriously fail (i DENY packets rather
> than to REJECT them).

# POLICIES
ipchains -P forward DENY

# PROXY RULE WWW, FTP, SSL
ipchains -A input -p tcp -s 10.0.0.0/24 1024:5000 -d 10.0.0.191/32 8008 -i
eth1 -j ACCEPT
ipchains -A input -p tcp -s ! 10.0.0.0/24 443 -d 212.232.168.183/32
1024:5000 -i eth0 -j ACCEPT
ipchains -A input -p tcp -s ! 10.0.0.0/24 80 -d 212.232.168.183/32
1024:5000 -i eth0 -j ACCEPT
ipchains -A input -p tcp -s 212.232.168.180/32 1024: -d 212.232.168.183/32
113 -i eth0 -j ACCEPT # Don't worry guys, there is no auth server running on
212.232.168.183, it's there because of sendmail. I still didn't find a
suitable solution to make it faster although I'm sure there is one.
ipchains -A input -p tcp -s ! 10.0.0.0/24 20:21 -d 212.232.168.183/32
1024:5000 -i eth0 -j ACCEPT
ipchains -A input -p tcp -s ! 10.0.0.0/24 1024: -d 212.232.168.183/32
1024:5000 -i eth0 -j ACCEPT
ipchains -A output -p tcp -s 10.0.0.191/32 8008 -d 10.0.0.0/24 1024:5000 -i
eth1 -j ACCEPT

# DENIALs
ipchains -A input -i eth1 -j DENY -l
ipchains -A output -i eth1 -j DENY -l
ipchains -A input -i eth0 -j DENY -l

You all may call me nuts that I post some of my chains of my inner sanctum
to the list, but here again how I solved ftp-pasv access. Please don't
forget that I run squid in pasv mode, so I can completely deny forward rule
for www, ssl and pasv-ftp.

Important for your questions are these chains here which are found in the
#PROXY RULE WWW,FTP,SSL section. These chains define input from internet to
my proxy.

ipchains -A input -p tcp -s ! 10.0.0.0/24 20:21 -d 212.232.168.183/32
1024:5000 -i eth0 -j ACCEPT
This rule here allows standard ftp as defined in some rfc I don't remember
anymore accessing my proxy on ports 1024:5000. I would even reduce it more
if I knew how deep I could set it without endangering my ftp life.

ipchains -A input -p tcp -s ! 10.0.0.0/24 1024: -d 212.232.168.183/32
1024:5000 -i eth0 -j ACCEPT
This rule here defines all stuff that deals with ftp from 1024:. I have only
one machine making requests and this is the proxy itself. All other boxes
(the internal network are totally 3 PCs) access through port 8008 as you
might see above www, ftp and ssl. I can't tell you how this behaves if I had
100 PCs in the internal net. Whether Squid would use 1024: ports to satisfy
all requests at once. Maybe it's better we ask somebody who is more
experienced than me.

CUL
Philipp

----- End forwarded message -----

[greetings from the heart of the sun]# echo madduck@!#:1:s@\@@@.net
-- 
"it's not easy, being green."
                                                    -- kermit the frog


______________________________________________________________________
Philadelphia Linux Users Group       -      http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug