From owner-freebsd-ipfw Fri Nov 16 0:26:15 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from postoffice.aims.com.au (eth0.lnk.aims.com.au [203.31.73.253]) by hub.freebsd.org (Postfix) with ESMTP id 9C7D537B418 for ; Fri, 16 Nov 2001 00:26:12 -0800 (PST) Received: from postoffice.aims.com.au (nts-ts1.aims.private [192.168.10.2]) by postoffice.aims.com.au with ESMTP id fAG8QB668035 for ; Fri, 16 Nov 2001 19:26:11 +1100 (EST) (envelope-from chris@aims.com.au) Received: from ntsts1 by aims.com.au with SMTP (MDaemon.v3.5.3.R) for ; Fri, 16 Nov 2001 19:25:16 +1100 Reply-To: From: "Chris Knight" To: Subject: Stateful Rules and FTP Date: Fri, 16 Nov 2001 19:25:13 +1100 Message-ID: <00bb01c16e78$37d102a0$020aa8c0@aims.private> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal X-Return-Path: chris@aims.com.au X-MDaemon-Deliver-To: freebsd-ipfw@freebsd.org Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Howdy, I'm running 4.4-stable on a box with 3 interfaces: ed0, ed1 and ed2. ed0 is the external interface. ed1 is the DMZ interface. ed2 is the internal interface. I want a select group of machines in the DMZ to be able to FTP, and only FTP, to a machine on the internal network to retrieve an installation image and packages. I've found the only way I can get passive FTP going is with the following rule: add pass tcp from to keep-state in recv ed1 setup But this then allows access to other services on the internal machine :-( Adding port 21 to the destination only allows FTP control connections and not FTP data connections. It's starting to drive me batty. Ideally, I'd like to be able to specify in the ruleset that the data has to traverse both ed1 and ed2. Lack of sleep doesn't help either. Can anyone help me out? Regards, Chris Knight Systems Administrator AIMS Independent Computer Professionals Tel: +61 3 6334 6664 Fax: +61 3 6331 7032 Mob: +61 419 528 795 Web: http://www.aims.com.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Nov 16 9:24:28 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from smtp4.port.ru (mx4.port.ru [194.67.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 0E03C37B416 for ; Fri, 16 Nov 2001 09:24:22 -0800 (PST) Received: from [213.59.88.91] (helo=dkv.vitcom.ru) by smtp4.port.ru with esmtp (Exim 3.14 #1) id 164mit-000AV5-00; Fri, 16 Nov 2001 20:24:15 +0300 Date: Fri, 16 Nov 2001 20:24:07 +0300 From: Konstantin X-Mailer: The Bat! (v1.53d) Reply-To: Konstantin X-Priority: 3 (Normal) Message-ID: <7526380550.20011116202407@mail.ru> To: Chris Knight Cc: freebsd-ipfw@freebsd.org Subject: Re: Stateful Rules and FTP In-Reply-To: <00bb01c16e78$37d102a0$020aa8c0@aims.private> References: <00bb01c16e78$37d102a0$020aa8c0@aims.private> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Friday, November 16, 2001, 11:25:13 AM, you wrote: CK> I'm running 4.4-stable on a box with 3 interfaces: ed0, ed1 and ed2. CK> ed0 is the external interface. CK> ed1 is the DMZ interface. CK> ed2 is the internal interface. CK> I want a select group of machines in the DMZ to be able to FTP, and only CK> FTP, to a machine on the internal network to retrieve an installation image CK> and packages. I've found the only way I can get passive FTP going is with CK> the following rule: CK> add pass tcp from to keep-state in recv ed1 setup Change this string for FTP add pass tcp from to 21 keep-state in recv ed1 setup add pass tcp from 20 to keep-state in recv ed1 setup CK> But this then allows access to other services on the internal machine :-( CK> Adding port 21 to the destination only allows FTP control connections and CK> not FTP data connections. It's starting to drive me batty. Ideally, I'd like CK> to be able to specify in the ruleset that the data has to traverse both ed1 CK> and ed2. CK> Lack of sleep doesn't help either. Can anyone help me out? Best regards, Konstantin mailto:skif_dk@mail.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Nov 16 14:47:34 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gull.prod.itd.earthlink.net (gull.mail.pas.earthlink.net [207.217.120.84]) by hub.freebsd.org (Postfix) with ESMTP id F053937B416 for ; Fri, 16 Nov 2001 14:47:30 -0800 (PST) Received: from dialup-209.245.137.44.dial1.sanjose1.level3.net ([209.245.137.44] helo=blossom.cjclark.org) by gull.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 164rlh-0007kF-00; Fri, 16 Nov 2001 14:47:30 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fAGMl2R54117; Fri, 16 Nov 2001 14:47:02 -0800 (PST) (envelope-from cjc) Date: Fri, 16 Nov 2001 14:47:02 -0800 From: "Crist J. Clark" To: Konstantin Cc: Chris Knight , freebsd-ipfw@FreeBSD.ORG Subject: Re: Stateful Rules and FTP Message-ID: <20011116144702.E50971@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <00bb01c16e78$37d102a0$020aa8c0@aims.private> <7526380550.20011116202407@mail.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <7526380550.20011116202407@mail.ru>; from skif_dk@mail.ru on Fri, Nov 16, 2001 at 08:24:07PM +0300 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Nov 16, 2001 at 08:24:07PM +0300, Konstantin wrote: > Friday, November 16, 2001, 11:25:13 AM, you wrote: > > CK> I'm running 4.4-stable on a box with 3 interfaces: ed0, ed1 and ed2. > CK> ed0 is the external interface. > CK> ed1 is the DMZ interface. > CK> ed2 is the internal interface. > > CK> I want a select group of machines in the DMZ to be able to FTP, and only > CK> FTP, to a machine on the internal network to retrieve an installation image > CK> and packages. I've found the only way I can get passive FTP going is with > CK> the following rule: > > CK> add pass tcp from to keep-state in recv ed1 setup > > Change this string for FTP > add pass tcp from to 21 keep-state in recv ed1 setup > add pass tcp from 20 to keep-state in recv ed1 setup I think you forgot to add that you need to switch to "active" FTP for these rules to work. But realize these rules open you up to other security issues. An FTP proxy would really be the way to go. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Nov 16 17: 3:53 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from postoffice.aims.com.au (eth0.lnk.aims.com.au [203.31.73.253]) by hub.freebsd.org (Postfix) with ESMTP id 308D137B41C for ; Fri, 16 Nov 2001 17:03:38 -0800 (PST) Received: from postoffice.aims.com.au (nts-ts1.aims.private [192.168.10.2]) by postoffice.aims.com.au with ESMTP id fAH13aG82455 for ; Sat, 17 Nov 2001 12:03:36 +1100 (EST) (envelope-from chris@aims.com.au) Received: from ntsts1 by aims.com.au with SMTP (MDaemon.v3.5.3.R) for ; Sat, 17 Nov 2001 12:03:01 +1100 Reply-To: From: "Chris Knight" To: , "'Konstantin'" Cc: Subject: RE: Stateful Rules and FTP Date: Sat, 17 Nov 2001 12:02:59 +1100 Message-ID: <00fa01c16f03$9a8bc200$020aa8c0@aims.private> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20011116144702.E50971@blossom.cjclark.org> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal X-Return-Path: chris@aims.com.au X-MDaemon-Deliver-To: freebsd-ipfw@FreeBSD.ORG Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Howdy, > -----Original Message----- > From: Crist J. Clark [mailto:cristjc@earthlink.net] > Sent: Saturday, 17 November 2001 9:47 > To: Konstantin > Cc: Chris Knight; freebsd-ipfw@FreeBSD.ORG > Subject: Re: Stateful Rules and FTP > > On Fri, Nov 16, 2001 at 08:24:07PM +0300, Konstantin wrote: > > [snip] > > Change this string for FTP > > add pass tcp from to 21 > > keep-state in recv ed1 setup > > add pass tcp from 20 to > > keep-state in recv ed1 setup > This is essentially what I did, but ensuring that the inbound ftp control connection came in over the DMZ i/f and out the internal i/f. The ftp data connection was checked coming in from the internal i/f and out the DMZ i/f. ie: add pass tcp from to 21 keep-state out recv ed1 xmit ed2 setup add pass tcp from 20 to keep-state out recv ed2 xmit ed1 setup > I think you forgot to add that you need to switch to "active" FTP for > these rules to work. But realize these rules open you up to other > security issues. An FTP proxy would really be the way to go. I realised that it was active FTP. I can see with the above rules that a bounce attack could occur against any of the DMZ machines, but I can't think of other security issues, unless I stuff up the config of the internal FTP server. I'll look at the FTP install via HTTP proxy method; this should tidy things up a bit. Thanks for everyone's help. > -- > [snip] Regards, Chris Knight Systems Administrator AIMS Independent Computer Professionals Tel: +61 3 6334 6664 Fax: +61 3 6331 7032 Mob: +61 419 528 795 Web: http://www.aims.com.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Nov 16 17:11: 6 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by hub.freebsd.org (Postfix) with ESMTP id 28ED237B418 for ; Fri, 16 Nov 2001 17:11:05 -0800 (PST) Received: from dialup-209.245.137.44.dial1.sanjose1.level3.net ([209.245.137.44] helo=blossom.cjclark.org) by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 164u0Z-0002Al-00; Fri, 16 Nov 2001 17:11:00 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fAH1AFE55294; Fri, 16 Nov 2001 17:10:15 -0800 (PST) (envelope-from cjc) Date: Fri, 16 Nov 2001 17:10:15 -0800 From: "Crist J. Clark" To: Chris Knight Cc: "'Konstantin'" , freebsd-ipfw@FreeBSD.ORG Subject: Re: Stateful Rules and FTP Message-ID: <20011116171015.G50971@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011116144702.E50971@blossom.cjclark.org> <00fa01c16f03$9a8bc200$020aa8c0@aims.private> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00fa01c16f03$9a8bc200$020aa8c0@aims.private>; from chris@aims.com.au on Sat, Nov 17, 2001 at 12:02:59PM +1100 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Nov 17, 2001 at 12:02:59PM +1100, Chris Knight wrote: [snip] > add pass tcp from to 21 keep-state out recv ed1 > xmit ed2 setup > add pass tcp from 20 to keep-state out recv ed2 > xmit ed1 setup > > > I think you forgot to add that you need to switch to "active" FTP for > > these rules to work. But realize these rules open you up to other > > security issues. An FTP proxy would really be the way to go. > > I realised that it was active FTP. I can see with the above rules that a > bounce attack could occur against any of the DMZ machines, but I can't think > of other security issues, unless I stuff up the config of the internal FTP > server. You can also bounce attack anything inside the firewall. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Nov 16 17:23:23 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mute.Verbose.ORG (mute.verbose.org [216.15.97.34]) by hub.freebsd.org (Postfix) with ESMTP id 0D3C537B418 for ; Fri, 16 Nov 2001 17:23:21 -0800 (PST) Received: from mute.Verbose.ORG (localhost [127.0.0.1]) by mute.Verbose.ORG (8.11.6/8.11.5) with ESMTP id fAH1NHj98771; Fri, 16 Nov 2001 17:23:17 -0800 (PST) (envelope-from randy@mute.Verbose.ORG) Message-Id: <200111170123.fAH1NHj98771@mute.Verbose.ORG> To: chris@aims.com.au Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Stateful Rules and FTP In-Reply-To: Message from "Chris Knight" of "Fri, 16 Nov 2001 19:25:13 +1100." <00bb01c16e78$37d102a0$020aa8c0@aims.private> Date: Fri, 16 Nov 2001 17:23:17 -0800 From: Randy Primeaux Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Chris, Just out of curiousity, why not push the data from internal network _out_ to the dmz via scp or ftp? "Chris Knight" writes: > I want a select group of machines in the DMZ to be able to FTP, and only > FTP, to a machine on the internal network to retrieve an installation image > and packages. [=snip=] -- Randy Primeaux randy@Verbose.ORG Verbose Networking To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Nov 16 17:24:19 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from postoffice.aims.com.au (eth0.lnk.aims.com.au [203.31.73.253]) by hub.freebsd.org (Postfix) with ESMTP id 6350237B417 for ; Fri, 16 Nov 2001 17:24:14 -0800 (PST) Received: from postoffice.aims.com.au (nts-ts1.aims.private [192.168.10.2]) by postoffice.aims.com.au with ESMTP id fAH1ODG39181 for ; Sat, 17 Nov 2001 12:24:13 +1100 (EST) (envelope-from chris@aims.com.au) Received: from ntsts1 by aims.com.au with SMTP (MDaemon.v3.5.3.R) for ; Sat, 17 Nov 2001 12:23:42 +1100 Reply-To: From: "Chris Knight" To: Cc: Subject: RE: Stateful Rules and FTP Date: Sat, 17 Nov 2001 12:23:40 +1100 Message-ID: <00fb01c16f06$7e1c10e0$020aa8c0@aims.private> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20011116171015.G50971@blossom.cjclark.org> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal X-Return-Path: chris@aims.com.au X-MDaemon-Deliver-To: freebsd-ipfw@FreeBSD.ORG Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Howdy, > -----Original Message----- > From: Crist J. Clark [mailto:cristjc@earthlink.net] > Sent: Saturday, 17 November 2001 12:10 > To: Chris Knight > Cc: 'Konstantin'; freebsd-ipfw@FreeBSD.ORG > Subject: Re: Stateful Rules and FTP > > > On Sat, Nov 17, 2001 at 12:02:59PM +1100, Chris Knight wrote: > > I realised that it was active FTP. I can see with the above > > rules that a bounce attack could occur against any of the DMZ > > machines, but I can't think of other security issues, unless > > I stuff up the config of the internal FTP server. > > You can also bounce attack anything inside the firewall. > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > I'd thought of that, and have a set of rules on the FTP server to only allow ftp data connections out to the DMZ subnet. The FTP server has no need to service any other FTP clients other than the DMZ subnet. Am I missing anything else, or does that just about cover it? Regards, Chris Knight Systems Administrator AIMS Independent Computer Professionals Tel: +61 3 6334 6664 Fax: +61 3 6331 7032 Mob: +61 419 528 795 Web: http://www.aims.com.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Nov 16 22:47:54 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from scaup.prod.itd.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by hub.freebsd.org (Postfix) with ESMTP id 42A5F37B418 for ; Fri, 16 Nov 2001 22:47:52 -0800 (PST) Received: from dialup-209.245.135.209.dial1.sanjose1.level3.net ([209.245.135.209] helo=blossom.cjclark.org) by scaup.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 164zGY-0002DL-00; Fri, 16 Nov 2001 22:47:51 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fAH6lO255980; Fri, 16 Nov 2001 22:47:24 -0800 (PST) (envelope-from cjc) Date: Fri, 16 Nov 2001 22:47:23 -0800 From: "Crist J. Clark" To: Randy Primeaux Cc: chris@aims.com.au, freebsd-ipfw@FreeBSD.ORG Subject: Re: Stateful Rules and FTP Message-ID: <20011116224723.J50971@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <200111170123.fAH1NHj98771@mute.Verbose.ORG> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200111170123.fAH1NHj98771@mute.Verbose.ORG>; from randy@verbose.org on Fri, Nov 16, 2001 at 05:23:17PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Nov 16, 2001 at 05:23:17PM -0800, Randy Primeaux wrote: > Chris, > Just out of curiousity, why not push the data from internal network > _out_ to the dmz via scp or ftp? Or rcp or http or... -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message