From owner-freebsd-ipfw Thu Jun 22 6:52:50 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id E73FD37C2DC for ; Thu, 22 Jun 2000 06:52:45 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA19824; Thu, 22 Jun 2000 06:51:58 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda19822; Thu Jun 22 06:51:43 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id GAA32957; Thu, 22 Jun 2000 06:51:43 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdB32955; Thu Jun 22 06:51:14 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.2/8.9.1) id e5MDpDN05578; Thu, 22 Jun 2000 06:51:13 -0700 (PDT) Message-Id: <200006221351.e5MDpDN05578@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdnA5574; Thu Jun 22 06:50:46 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cy To: cjclark@alum.mit.edu Cc: Jennifer Ulrich , freebsd-ipfw@FreeBSD.ORG Subject: Re: allowing passive ftp through ipfw In-reply-to: Your message of "Wed, 21 Jun 2000 14:52:55 PDT." <20000621145255.I214@dialin-client.earthlink.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 22 Jun 2000 06:50:46 -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message <20000621145255.I214@dialin-client.earthlink.net>, "Crist J. Clark" writes: > On Wed, Jun 21, 2000 at 04:50:09PM -0400, Jennifer Ulrich wrote: > > Hello all! > > > > I have a FreeBSD 3.4 box which runs ipfw, that is firewalling for a publicl > y > > reachable lan of servers, including FTP servers. When I set up the machine, > > > I made the FTP servers reachable by adding a rule for: > > > > ipfw add 1400 pass all from x.x.x.x/x to any > > ipfw add 2300 pass tcp from any to x.x.x.x 21 > > (x.x.x.x 21 being the address of the ftp server and a default rule allowin > g > > anything from my internal lan out through the firewall) > > > > I initially had some problems with clients on the lan not being able to > > establish FTP connections outbound, so I added this rule : > > > > ipfw 2300 pass tcp from any to x.x.x.x/x established > > [snip] > > > So how do I get passive FTP to work? I certainly would rather not punch a > > hole in the firewall to allow all traffic destined to the higher ports > > through to my FTP server. > > Having a rule like, > > ipfw add 2350 pass tcp from any 20 to x.x.x.x port_high1-port_high2 > > Is not really too much of a risk (I don't remember what the range of > valid ports is). Make sure you don't have anything you are not > comfortable with listening in that range. The rule to allow the > initial ftp connection is much, much more risky than the above. I vehemently disagree. It is a high risk because an attacker can connect to services running on ports >= 1024, e.g. Oracle. Even if you're not running any services >= 1024, it is trivial to scan your network to get a picture of what it looks like to plan a strategy of attack. IMO too much risk. > > > Is there another way to do accomplish this that is > > a bit more secure? > > Actually, this would be a good place for keep-state to work. I'm kinda > surprised that no one has added a keep-state method for FTP. It'd just > be, > > ipfw add 2350 pass tcp from any to x.x.x.x 21 setup keep-state ftp > > Right? Creating a dynamic rule that passes traffic from 20 to > x.x.x.x. From how I understand keep-state to work (and it is minimal, > sorry), it should not be too difficult to do? Agreed, under IPFW this cannot be done. Ideally this functionality should be in natd. It is possible to use IPFW with ipnat for FTP proxy of IP Filter. Of course that incurs the overhead of two firewalls in your kernel. Not an ideal solution but workable. I think that the FTP protocol, needs to be retired. It is old and not firewall friendly. HTTP can do everything that anonymous FTP can do. To replace regular FTP, use SSH. IMO the only place where the use of FTP is acceptable is within the confines of one's own network. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message