From owner-freebsd-net  Mon Dec  9 16:57:13 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 413BA37B401
	for <freebsd-net@FreeBSD.ORG>; Mon,  9 Dec 2002 16:57:11 -0800 (PST)
Received: from tp.databus.com (p70-227.acedsl.com [66.114.70.227])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8502F43EA9
	for <freebsd-net@FreeBSD.ORG>; Mon,  9 Dec 2002 16:57:09 -0800 (PST)
	(envelope-from barney@tp.databus.com)
Received: from tp.databus.com (localhost.databus.com [127.0.0.1])
	by tp.databus.com (8.12.6/8.12.6) with ESMTP id gBA0uuMG062136;
	Mon, 9 Dec 2002 19:56:56 -0500 (EST)
	(envelope-from barney@tp.databus.com)
Received: (from barney@localhost)
	by tp.databus.com (8.12.6/8.12.6/Submit) id gBA0uuTn062135;
	Mon, 9 Dec 2002 19:56:56 -0500 (EST)
	(envelope-from barney)
Date: Mon, 9 Dec 2002 19:56:56 -0500
From: Barney Wolff <barney@tp.databus.com>
To: Peter Brezny <peter@skyrunner.net>
Cc: "Orville R. Weyrich_Jr" <orville@ameriroots.com>,
	freebsd-net@FreeBSD.ORG
Subject: Re: passive mode ftp server, need stateful ipfw rule.
Message-ID: <20021210005656.GA62054@tp.databus.com>
References: <20021209145439.L45560-100000@localhost> <NEBBIGLHNDFEJMMIEGOOIELGFEAA.peter@skyrunner.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <NEBBIGLHNDFEJMMIEGOOIELGFEAA.peter@skyrunner.net>
User-Agent: Mutt/1.4i
X-Scanned-By: MIMEDefang 2.26 (www . roaringpenguin . com / mimedefang)
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Guys, you're both missing the point.  Any flavor of ftp makes the data
connection separate from the control connection, so something must
permit the SYN of the data connection to pass.  natd is able to do
this for clients using active-mode ftp, but I don't think it can do
it for a server with a passive-mode client.

One pragmatic solution is to adjust the range of random tcp ports
chosen to a fairly narrow one, and then allow the setup from any to
that port range.

The real answer is to get rid of ftp, and use something better.  For
replacing anonymous ftp, http works just as well.  scp, sftp or https
with passwords will do fine for restricting users and ensuring file
integrity.

On Mon, Dec 09, 2002 at 04:42:11PM -0500, Peter Brezny wrote:
> Yes but then you run into:
>    DYNAMIC RULES
>      In order to protect a site from flood attacks involving fake TCP
> packets,
>      it is safer to use dynamic rules:
> 
>            ipfw add check-state
>            ipfw add deny tcp from any to any established
> 
> And also, if you've got an:
> add allow all from any to any established
> 
> arn't you sort of setting yourself up.  Couldn't someone establish a valid
> connection to a valid port, then, have a field day?
> 
> TIA
> 
> Peter Brezny
> Skyrunner.net
> 
> 
> -----Original Message-----
> From: Orville R. Weyrich_Jr [mailto:orville@ameriroots.com]
> Sent: Monday, December 09, 2002 4:55 PM
> To: Peter Brezny
> Cc: freebsd-net@FreeBSD.ORG
> Subject: Re: passive mode ftp server, need stateful ipfw rule.
> 
> 
> Isn't that what ESTABLISHED is used for?
> 
> On Mon, 9 Dec 2002, Peter Brezny wrote:
> 
> > Is it possible to create an ipfw ruleset for an ftp server in passive mode
> > that figures out which random port the ftp server is going to open to only
> > allow the client that initiated the connection to connect to that port?
> >
> >
> > Since the client initiates it's data connection from a random port to the
> > new random data port on the passive mode server, i've so far not been able
> > to come up with decent firewall rules to protect this type of system.
> >
> > TIA,
> >
> >
> > Peter Brezny
> > Skyrunner.net
> >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-net" in the body of the message
> >
> 
> ----------------------------------------------------------------------------
> ---
> Orville R. Weyrich, Jr PhD.         KD7HJV
> mailto:orville@weyrich.com
> ----------------------------------------------------------------------------
> ---
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message