From owner-freebsd-security Mon Dec 18 6:34:21 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 06:34:18 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from pps.de (mail.pps.de [217.13.200.134]) by hub.freebsd.org (Postfix) with ESMTP id 3DC1337B402 for ; Mon, 18 Dec 2000 06:34:17 -0800 (PST) Received: from jung7.pps.de (jung7.pps.de [192.9.200.17]) by pps.de (8.9.3/8.9.3) with ESMTP id PAA90934 for ; Mon, 18 Dec 2000 15:49:35 +0100 (CET) (envelope-from petros@pps.de) Received: from jung9.pps.de by jung7.pps.de (8.9.3+Sun/ZRZ-Sol2) id PAA12934; Mon, 18 Dec 2000 15:31:34 +0100 (MET) Received: from jung9 by jung9.pps.de (8.9.1b+Sun/ZRZ-Sol2) id PAA16565; Mon, 18 Dec 2000 15:31:34 +0100 (MET) Message-Id: <200012181431.PAA16565@jung9.pps.de> Date: Mon, 18 Dec 2000 15:31:34 +0100 (MET) From: Peter Ross Reply-To: Peter Ross Subject: FTP and firewall To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: 5X+N0SslPdruM2oOxNhz+g== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I tried to redirect FTP to an internal FTP server using natd. I wrote: > natd_flags="-redirect_port tcp ${intern_ftp_ip}:ftp ftp" > > # Allow incoming FTP connections to the internal FTP server > ipfw add allow tcp from any to ${extern_ip} ftp setup via ${extern_if} > ipfw add allow tcp from any to ${intern_ftp_ip} ftp setup via ${extern_if} > ipfw add allow tcp from any to ${intern_ftp_ip} ftp setup via ${intern_if} > > # and outgoing FTP data connections created by the internal FTP server > ipfw add allow tcp from ${intern_ftp_ip} 20 to any setup via ${intern_if} > ipfw add allow tcp from ${intern_ftp_ip} 20 to any setup via ${extern_if} > ipfw add allow tcp from ${extern_ip} 20 to any setup via ${extern_if} > > # Allow TCP through if setup succeeded > ipfw add pass tcp from any to any established > > # Everything else is denied as default. There is a problem with FTP clients using passive mode. The server listens on ports 49152..65535. I think the natd redirect option and the firewall rule > ftp_passive_range="49152-65535" > > natd_flags="-redirect_port tcp ${intern_ftp_ip}:${ftp_passive_range} > ${ftp_passive_range}" > > ipfw add allow tcp from any to ${extern_ip} ${ftp_passive_range} setup via > ${extern_if} > ipfw add allow tcp from any to ${intern_ftp_ip} {ftp_passive_range} setup via > ${extern_if} > ipfw add allow tcp from any to ${intern_ftp_ip} {ftp_passive_range} setup via > ${intern_if} should work but .. What do you think? The FTP control connection contains the data port negotiation between client and server. Can I use this information? I see five different ways to solve the FTP firewall problem: 1. external FTP server and mirror through the firewall Problem: We need the server always up to date, data more then 5 minutes old are not acceptable, also inacceptable are corrupted files (e.g. for files which created by internal processes while the mirror process works) Can I use cpdup (ports collection)? 2. external FTP proxy server with access to a internal server Problem: which proxy should I use? 3. external FTP server with NFS access trough the firewall Problem: NFS and security 4. firewall with FTP server and NFS access to the company network Problem: see above, a firewall shouldn't running daemons with public access 5. 3. or 4. with a more secure network file system (e.g. Coda ?) Thanks for advice Peter Ross ******************************************************* Dipl.Inf. Peter Ross petros@pps.de Presse Programm Service Berlin - Systems administration ******************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message