Date: Fri, 31 Mar 2000 15:04:06 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz> To: freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules Message-ID: <Pine.GSO.4.10.10003311446370.19526-100000@nenya.ms.mff.cuni.cz> In-Reply-To: <Pine.BSF.4.21.0003291642540.78004-100000@web2.sea.nwserv.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 29 Mar 2000, Allan Saddi wrote: > On Wed, 29 Mar 2000, Alan Batie wrote: > > > ...To do active mode ftp properly, ipfw would need to parse the > > contents of the packets on the ftp control channel and dynamically allow > > the corresponding incoming connection. There's no indication that this > > parsing capability is present. > > Interestingly enough, sometime back, Eivind Eklund added a feature to > allow libalias(3) to "punch holes" in an ipfw-based firewall. The code is > apparently still there. Unfortunately, it seems like neither natd nor ppp > take advantage of this feature. (Currently, there's no way to turn it on.) > > It would be a seemingly trivial modification... but maybe there's some > reason why it was never incorporated into natd/ppp? The modification could be possibly "trivial", but would involve quite a lot of implementation. There're many protocols, which would have to be parsed at the application layer - ftp, talk/ntalk to name a few. Others might include the real audio protocols - but I do not know these well enough. A long time ago, I wrote a userland program that could "punch holes" for incoming data connections created by outgoing talk requests. But to have a firewall allowing correct operation of all outgoing "requests", you would have to explore all the protocols you wish to support, implement a filter which would scan either UDP packets or the TCP stream, and interact with the firewall setup. And also - you would have to develope some rules for selecting the proper filter. It is clear, that a connection to port 21 is a ftp control connection - but services might be running on arbitrary ports, and you might wish to support access to them too. And furthermore, you should take some security considerations about the effects of establishing such a firewall. By submitting a link to an ftp site (possibly in a forged html page), an attacker might open a hole in the firewall for himself. Yes, with a very limited range of possibilites, but this might be considered as a security risk by some admins. But still it might be better than allowing any TCP connection coming from port 20. Vladimir Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.10.10003311446370.19526-100000>