Date: Fri, 23 Jun 2000 19:25:46 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> Cc: Jennifer Ulrich <pixie_styxx@hotmail.com>, freebsd-ipfw@FreeBSD.ORG Subject: Re: allowing passive ftp through ipfw Message-ID: <20000623192546.A481@dialin-client.earthlink.net> In-Reply-To: <200006230633.e5N6Xci97623@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Thu, Jun 22, 2000 at 11:32:55PM -0700 References: <20000622213946.F489@dialin-client.earthlink.net> <200006230633.e5N6Xci97623@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jun 22, 2000 at 11:32:55PM -0700, Cy Schubert - ITSD Open Systems Group wrote: > In message <20000622213946.F489@dialin-client.earthlink.net>, "Crist J. Clark" writes: > > On Thu, Jun 22, 2000 at 06:50:46AM -0700, Cy Schubert - ITSD Open Systems Group wrote: > > > In message <20000621145255.I214@dialin-client.earthlink.net>, "Crist J. Clark" writes: > > > > > > > > Having a rule like, > > > > > > > > ipfw add 2350 pass tcp from any 20 to x.x.x.x port_high1-port_high2 > > > > > > > > Is not really too much of a risk (I don't remember what the range of > > > > valid ports is). Make sure you don't have anything you are not > > > > comfortable with listening in that range. The rule to allow the > > > > initial ftp connection is much, much more risky than the above. > > > > > > I vehemently disagree. It is a high risk because an attacker can > > > connect to services running on ports >= 1024, e.g. Oracle. Even if > > > you're not running any services >= 1024, it is trivial to scan your > > > network to get a picture of what it looks like to plan a strategy of > > > attack. IMO too much risk. > > > > How can can an attacker scan the network when the high ports are only > > open for this one host? > > An attacker won't be able to scan the low ports but will be able to > determine which IP addresses (hosts) are on the inside. If an attacker > scans ports >= 1024 he'll easily discover services running on those > ports. > > Think about it: > > ipfw add allow tcp from any 20 to any 1024-65535 in > > allows port 20 to initiate connects to any non-privileged port on > your network like X and some Kerberos services. I agree that _that_ is a dangerous rule, but we were discussing, ipfw add allow tcp from any 20 to x.x.x.x 1024-65535 To the one ftp server, 'x.x.x.x,' and NOT 'any.' You can only directly scan that one host. > > > > Actually, this would be a good place for keep-state to work. I'm kinda > > > > surprised that no one has added a keep-state method for FTP. It'd just > > > > be, > > > > > > > > ipfw add 2350 pass tcp from any to x.x.x.x 21 setup keep-state ftp > > > > > > > > Right? Creating a dynamic rule that passes traffic from 20 to > > > > x.x.x.x. From how I understand keep-state to work (and it is minimal, > > > > sorry), it should not be too difficult to do? > > > > > > Agreed, under IPFW this cannot be done. > > > > As ipfw(8) is currently implemented? Or is this something that cannot > > (or should not) be done with ipfw? > > IPFW does not support an FTP application proxy, period. Take a look > for yourself. I know it does not proxy and would not ever want ipfw to actually modify packets. I just wonder about a dynamic rule that opens the high ports of a machine to source port 20 when a keep-state is triggered for a incoming setup to port 21 of that machine. I know it does not do this now, keep-state [method] Upon a match, the firewall will create a dynamic rule, whose default behaviour is to matching bidirectional traffic between source and destination IP/port using the same protocol... [snip] The actual behaviour can be modified by specifying a dif- ferent method, although at the moment only the default one is specified. Notice "at the moment." I am saying is there a reason one could not or should not code in another 'method' to do PORT ftp. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000623192546.A481>