Date: Tue, 10 Dec 2002 08:31:45 +0000 From: Vincent Jardin <vjardin@wanadoo.fr> To: Barney Wolff <barney@tp.databus.com>, Peter Brezny <peter@skyrunner.net> Cc: "Orville R. Weyrich_Jr" <orville@ameriroots.com>, freebsd-net@FreeBSD.ORG Subject: Re: passive mode ftp server, need stateful ipfw rule. Message-ID: <200212100831.45848.vjardin@wanadoo.fr> In-Reply-To: <20021210005656.GA62054@tp.databus.com> References: <20021209145439.L45560-100000@localhost> <NEBBIGLHNDFEJMMIEGOOIELGFEAA.peter@skyrunner.net> <20021210005656.GA62054@tp.databus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > One pragmatic solution is to adjust the range of random tcp ports > chosen to a fairly narrow one, and then allow the setup from any to > that port range. > > The real answer is to get rid of ftp, and use something better. For > replacing anonymous ftp, http works just as well. scp, sftp or https > with passwords will do fine for restricting users and ensuring file > integrity. Another solution is a daemon that could track the control planes of some=20 specific applicatoins on a divert socket such as ftp, h323, ... then that= add=20 a dynamic rule about the new TCP/UDP sessions. It is like natd however=20 without the NAT features. The performace would remain good because this daemon would work only on t= he=20 control plane. The data plane would remain within the kernel and if they= =20 match the "dynamic" firewall rules, they are just forwarded or dropped by= the=20 kernel. It would be session tracking firewall ;-) Vincent > > On Mon, Dec 09, 2002 at 04:42:11PM -0500, Peter Brezny wrote: > > Yes but then you run into: > > DYNAMIC RULES > > In order to protect a site from flood attacks involving fake TCP > > packets, > > it is safer to use dynamic rules: > > > > ipfw add check-state > > ipfw add deny tcp from any to any established > > > > And also, if you've got an: > > add allow all from any to any established > > > > arn't you sort of setting yourself up. Couldn't someone establish a > > valid connection to a valid port, then, have a field day? > > > > TIA > > > > Peter Brezny > > Skyrunner.net > > > > > > -----Original Message----- > > From: Orville R. Weyrich_Jr [mailto:orville@ameriroots.com] > > Sent: Monday, December 09, 2002 4:55 PM > > To: Peter Brezny > > Cc: freebsd-net@FreeBSD.ORG > > Subject: Re: passive mode ftp server, need stateful ipfw rule. > > > > > > Isn't that what ESTABLISHED is used for? > > > > On Mon, 9 Dec 2002, Peter Brezny wrote: > > > Is it possible to create an ipfw ruleset for an ftp server in passi= ve > > > mode that figures out which random port the ftp server is going to = open > > > to only allow the client that initiated the connection to connect t= o > > > that port? > > > > > > > > > Since the client initiates it's data connection from a random port = to > > > the new random data port on the passive mode server, i've so far no= t > > > been able to come up with decent firewall rules to protect this typ= e of > > > system. > > > > > > TIA, > > > > > > > > > Peter Brezny > > > Skyrunner.net > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-net" in the body of the message > > > > ---------------------------------------------------------------------= ---- > >--- --- > > Orville R. Weyrich, Jr PhD. KD7HJV > > mailto:orville@weyrich.com > > ---------------------------------------------------------------------= ---- > >--- --- > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200212100831.45848.vjardin>