Date: Fri, 23 Jun 2000 19:25:46 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> Cc: Jennifer Ulrich <pixie_styxx@hotmail.com>, freebsd-ipfw@FreeBSD.ORG Subject: Re: allowing passive ftp through ipfw Message-ID: <20000623192546.A481@dialin-client.earthlink.net> In-Reply-To: <200006230633.e5N6Xci97623@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Thu, Jun 22, 2000 at 11:32:55PM -0700 References: <20000622213946.F489@dialin-client.earthlink.net> <200006230633.e5N6Xci97623@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jun 22, 2000 at 11:32:55PM -0700, Cy Schubert - ITSD Open Systems Group wrote:
> In message <20000622213946.F489@dialin-client.earthlink.net>, "Crist J. Clark" writes:
> > On Thu, Jun 22, 2000 at 06:50:46AM -0700, Cy Schubert - ITSD Open Systems Group wrote:
> > > In message <20000621145255.I214@dialin-client.earthlink.net>, "Crist J. Clark" writes:
> > > >
> > > > Having a rule like,
> > > >
> > > > ipfw add 2350 pass tcp from any 20 to x.x.x.x port_high1-port_high2
> > > >
> > > > Is not really too much of a risk (I don't remember what the range of
> > > > valid ports is). Make sure you don't have anything you are not
> > > > comfortable with listening in that range. The rule to allow the
> > > > initial ftp connection is much, much more risky than the above.
> > >
> > > I vehemently disagree. It is a high risk because an attacker can
> > > connect to services running on ports >= 1024, e.g. Oracle. Even if
> > > you're not running any services >= 1024, it is trivial to scan your
> > > network to get a picture of what it looks like to plan a strategy of
> > > attack. IMO too much risk.
> >
> > How can can an attacker scan the network when the high ports are only
> > open for this one host?
>
> An attacker won't be able to scan the low ports but will be able to
> determine which IP addresses (hosts) are on the inside. If an attacker
> scans ports >= 1024 he'll easily discover services running on those
> ports.
>
> Think about it:
>
> ipfw add allow tcp from any 20 to any 1024-65535 in
>
> allows port 20 to initiate connects to any non-privileged port on
> your network like X and some Kerberos services.
I agree that _that_ is a dangerous rule, but we were discussing,
ipfw add allow tcp from any 20 to x.x.x.x 1024-65535
To the one ftp server, 'x.x.x.x,' and NOT 'any.' You can only directly
scan that one host.
> > > > Actually, this would be a good place for keep-state to work. I'm kinda
> > > > surprised that no one has added a keep-state method for FTP. It'd just
> > > > be,
> > > >
> > > > ipfw add 2350 pass tcp from any to x.x.x.x 21 setup keep-state ftp
> > > >
> > > > Right? Creating a dynamic rule that passes traffic from 20 to
> > > > x.x.x.x. From how I understand keep-state to work (and it is minimal,
> > > > sorry), it should not be too difficult to do?
> > >
> > > Agreed, under IPFW this cannot be done.
> >
> > As ipfw(8) is currently implemented? Or is this something that cannot
> > (or should not) be done with ipfw?
>
> IPFW does not support an FTP application proxy, period. Take a look
> for yourself.
I know it does not proxy and would not ever want ipfw to actually
modify packets. I just wonder about a dynamic rule that opens the high
ports of a machine to source port 20 when a keep-state is triggered
for a incoming setup to port 21 of that machine. I know it does not do
this now,
keep-state [method]
Upon a match, the firewall will create a dynamic rule,
whose default behaviour is to matching bidirectional
traffic between source and destination IP/port using the
same protocol...
[snip]
The actual behaviour can be modified by specifying a dif-
ferent method, although at the moment only the default
one is specified.
Notice "at the moment." I am saying is there a reason one could not or
should not code in another 'method' to do PORT ftp.
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000623192546.A481>