From owner-freebsd-ipfw  Thu Jun 22  6:52:50 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id E73FD37C2DC
	for <freebsd-ipfw@FreeBSD.ORG>; Thu, 22 Jun 2000 06:52:45 -0700 (PDT)
	(envelope-from Cy.Schubert@uumail.gov.bc.ca)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA19824;
	Thu, 22 Jun 2000 06:51:58 -0700
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda19822; Thu Jun 22 06:51:43 2000
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.9.3/8.9.1) id GAA32957;
	Thu, 22 Jun 2000 06:51:43 -0700 (PDT)
Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com"
 via SMTP by passer9.cwsent.com, id smtpdB32955; Thu Jun 22 06:51:14 2000
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.10.2/8.9.1) id e5MDpDN05578;
	Thu, 22 Jun 2000 06:51:13 -0700 (PDT)
Message-Id: <200006221351.e5MDpDN05578@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdnA5574; Thu Jun 22 06:50:46 2000
X-Mailer: exmh version 2.1.1 10/15/1999
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-OS: FreeBSD 4.0-STABLE
X-Sender: cy
To: cjclark@alum.mit.edu
Cc: Jennifer Ulrich <pixie_styxx@hotmail.com>,
	freebsd-ipfw@FreeBSD.ORG
Subject: Re: allowing passive ftp through ipfw 
In-reply-to: Your message of "Wed, 21 Jun 2000 14:52:55 PDT."
             <20000621145255.I214@dialin-client.earthlink.net> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 22 Jun 2000 06:50:46 -0700
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In message <20000621145255.I214@dialin-client.earthlink.net>, "Crist J. 
Clark"
writes:
> On Wed, Jun 21, 2000 at 04:50:09PM -0400, Jennifer Ulrich wrote:
> > Hello all!
> > 
> > I have a FreeBSD 3.4 box which runs ipfw, that is firewalling for a publicl
> y 
> > reachable lan of servers, including FTP servers. When I set up the machine,
>  
> > I made the FTP servers reachable by adding a rule for:
> > 
> > ipfw add 1400 pass all from x.x.x.x/x to any
> > ipfw add 2300 pass tcp from any to x.x.x.x 21
> > (x.x.x.x 21 being the address of  the ftp server and a default rule allowin
> g 
> > anything from my internal lan out through the firewall)
> > 
> > I initially had some problems with clients on the lan not being able to 
> > establish FTP connections outbound, so I added this rule :
> > 
> > ipfw 2300 pass tcp from any to x.x.x.x/x established
> 
> [snip]
> 
> > So how do I get passive FTP to work? I certainly would rather not punch a 
> > hole in the firewall to allow all traffic destined to the higher ports 
> > through to my FTP server.
> 
> Having a rule like,
> 
>   ipfw add 2350 pass tcp from any 20 to x.x.x.x port_high1-port_high2
> 
> Is not really too much of a risk (I don't remember what the range of
> valid ports is). Make sure you don't have anything you are not
> comfortable with listening in that range. The rule to allow the
> initial ftp connection is much, much more risky than the above.

I vehemently disagree.  It is a high risk because an attacker can 
connect to services running on ports >= 1024, e.g. Oracle.  Even if 
you're not running any services >= 1024, it is trivial to scan your 
network to get a picture of what it looks like to plan a strategy of 
attack.  IMO too much risk.

> 
> > Is there another way to do accomplish this that is 
> > a bit more secure?
> 
> Actually, this would be a good place for keep-state to work. I'm kinda
> surprised that no one has added a keep-state method for FTP. It'd just
> be,
> 
>   ipfw add 2350 pass tcp from any to x.x.x.x 21 setup keep-state ftp
> 
> Right? Creating a dynamic rule that passes traffic from 20 to
> x.x.x.x. From how I understand keep-state to work (and it is minimal,
> sorry), it should not be too difficult to do?

Agreed, under IPFW this cannot be done.  Ideally this functionality 
should be in natd.  It is possible to use IPFW with ipnat for FTP proxy 
of IP Filter.  Of course that incurs the overhead of two firewalls in 
your kernel.  Not an ideal solution but workable.

I think that the FTP protocol, needs to be retired.  It is old and not 
firewall friendly.  HTTP can do everything that anonymous FTP can do.  
To replace regular FTP, use SSH.  IMO the only place where the use of 
FTP is acceptable is within the confines of one's own network.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Team Leader, Sun/DEC Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message