Date: Mon, 9 Jul 2001 09:29:43 +0200 From: Axel Scheepers <ascheepe@surf.iae.nl> To: freebsd-security@FreeBSD.ORG Subject: Re: Firewall and ftp service Message-ID: <20010709092943.A2548@surf.iae.nl> In-Reply-To: <20010707113849.C408@blossom.cjclark.org>; from cristjc@earthlink.net on Sat, Jul 07, 2001 at 11:38:49AM -0700 References: <20010707153247.A78448@surf.iae.nl> <20010707113849.C408@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you all for your help! ;-) I do use kind of a mix of ipf/ipfw/natd at the moment, but that was bacause I wanted it working as fast as possible (Just switched from modem to cable ;-) Now my first "Wow, I want to do ... and ... and .." feelings are over I want to figure out a nice clean way for doing it. So thank you all for your great responses, you've given me a lot of starting points (ipnat instead of natd) and help (ftp howto ;-) Thanks, Axel Scheepers On Sat, Jul 07, 2001 at 11:38:49AM -0700, Crist J. Clark wrote: > On Sat, Jul 07, 2001 at 03:32:47PM +0200, Axel Scheepers wrote: > > I'll say it again, FTP is eeeevul. > > > Hi everybody, > > I hope I'm not being really off topic with this one but > > it's been troubling me for a while now. > > I'm looking for a way to provide acces to an ftpserver, my current > > network layout looks like this: > > > > Cable Modem ------> Gateway ---------> http/ftp server > > | > > | > > +------------> private http/ftp/sql server > > | > > | > > +------------> my workstation > > > > The gateway does natd and ipf since the other servers have private > > adresses. > > natd(8) and ipf(8) or natd(8) and ipfw(8)? I'd recommend either using, > natd(8) and ipfw(8) or ipnat(8) and ipf(8), and not mixing and > matching. There are sometimes reasons to run ipf(8) and ipfw(8) at the > same time, but when you need to proxy FTP, there is too much room for > confusion and weird interactions. > > > The problem now is that whenever I connect to my > > ftp servers from the outside, the server is unable to set up a > > data connection, because it wants to connect on a port > 1024, which > > is blocked by my firewall(and I want to leave it that way). > > Natd does the following: > > natd -redirect_port tcp 192.168.0.5:20 20 -redirect_port 192.168.0.5:21 21 > > which redirects the traffic to my public ftp server. > > > > As I see it there can be 2 problems with this setup; > > 1) The server wants to initiate the data connection at a port > 1024 and/or > > 2) The server still somehow reports 192.168.0.5 as its address to the clients. > > > > I have tried to connect with the option passive is off, which I thought > > should force the server to stay on port 21 for tha data connection, but > > it didn't work. :( > > OK, one more time on how FTP generally works. Everyone knows the > client connects to the server on port 21. That's easy. Now as for the > data connection, there are two modes, PORT (active) and PASV > (passive). In PORT, the client tells the server what port it will be > listening on and the _server_ then (usually) connects to the _client_ > with a source port of 20 and the arbitrary high port ("ephermeral") > the client gave the server as the destination. In PASV, the server > tells the client what port it will be listening on, usually an > arbitrary high, ephermeral port, and the client then connects with a > ephemeral port source to the ephemeral destination. And we should > point out that in both modes the server and client are passing not > only the port number back and forth, but actually the IP address to > connect to as well. > > So, the moral of the story is that FTP is an absolute bitch to work > with if you have a firewall or NAT'ing gateway between the client and > server. You need an application layer proxy for the > connection. Redirection alone will not cut it. > > > Can/will somebody help on getting this done the proper way ? > > I just want to use ipfilter, if possible, and I don't like to install > > a ftp proxy for this. > > Oops. You are really using ipf(8). IPFilter has an FTP proxy > built-in. However, use ipnat(8) and not natd(8) with ipf(8). > -- > Crist J. Clark cjclark@alum.mit.edu -- Met vriendelijke groet, VIA NET.WORKS Nederland Axel Scheepers Operations phone +31 40 239 33 93 fax +31 40 239 33 11 e-mail eindhoven.beheer@vianetworks.nl http://www.vianetworks.nl/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010709092943.A2548>