Date: Mon, 18 Dec 2000 15:31:34 +0100 (MET) From: Peter Ross <petros@pps.de> To: freebsd-security@freebsd.org Subject: FTP and firewall Message-ID: <200012181431.PAA16565@jung9.pps.de>
next in thread | raw e-mail | index | archive | help
Hi,
I tried to redirect FTP to an internal FTP server using natd.
I wrote:
> natd_flags="-redirect_port tcp ${intern_ftp_ip}:ftp ftp"
>
> # Allow incoming FTP connections to the internal FTP server
> ipfw add allow tcp from any to ${extern_ip} ftp setup via ${extern_if}
> ipfw add allow tcp from any to ${intern_ftp_ip} ftp setup via ${extern_if}
> ipfw add allow tcp from any to ${intern_ftp_ip} ftp setup via ${intern_if}
>
> # and outgoing FTP data connections created by the internal FTP server
> ipfw add allow tcp from ${intern_ftp_ip} 20 to any setup via ${intern_if}
> ipfw add allow tcp from ${intern_ftp_ip} 20 to any setup via ${extern_if}
> ipfw add allow tcp from ${extern_ip} 20 to any setup via ${extern_if}
>
> # Allow TCP through if setup succeeded
> ipfw add pass tcp from any to any established
>
> # Everything else is denied as default.
There is a problem with FTP clients using passive mode. The server listens on
ports 49152..65535. I think the natd redirect option and the firewall rule
> ftp_passive_range="49152-65535"
>
> natd_flags="-redirect_port tcp ${intern_ftp_ip}:${ftp_passive_range}
> ${ftp_passive_range}"
>
> ipfw add allow tcp from any to ${extern_ip} ${ftp_passive_range} setup via
> ${extern_if}
> ipfw add allow tcp from any to ${intern_ftp_ip} {ftp_passive_range} setup via
> ${extern_if}
> ipfw add allow tcp from any to ${intern_ftp_ip} {ftp_passive_range} setup via
> ${intern_if}
should work but ..
What do you think?
The FTP control connection contains the data port negotiation between client and
server. Can I use this information?
I see five different ways to solve the FTP firewall problem:
1. external FTP server and mirror through the firewall
Problem: We need the server always up to date,
data more then 5 minutes old are not acceptable,
also inacceptable are corrupted files (e.g. for files which created by
internal processes while the mirror process works)
Can I use cpdup (ports collection)?
2. external FTP proxy server with access to a internal server
Problem: which proxy should I use?
3. external FTP server with NFS access trough the firewall
Problem: NFS and security
4. firewall with FTP server and NFS access to the company network
Problem: see above,
a firewall shouldn't running daemons with public access
5. 3. or 4. with a more secure network file system (e.g. Coda ?)
Thanks for advice
Peter Ross
*******************************************************
Dipl.Inf. Peter Ross petros@pps.de
Presse Programm Service Berlin - Systems administration
*******************************************************
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012181431.PAA16565>