Date: Mon, 9 Dec 2002 19:56:56 -0500 From: Barney Wolff <barney@tp.databus.com> To: Peter Brezny <peter@skyrunner.net> Cc: "Orville R. Weyrich_Jr" <orville@ameriroots.com>, freebsd-net@FreeBSD.ORG Subject: Re: passive mode ftp server, need stateful ipfw rule. Message-ID: <20021210005656.GA62054@tp.databus.com> In-Reply-To: <NEBBIGLHNDFEJMMIEGOOIELGFEAA.peter@skyrunner.net> References: <20021209145439.L45560-100000@localhost> <NEBBIGLHNDFEJMMIEGOOIELGFEAA.peter@skyrunner.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Guys, you're both missing the point. Any flavor of ftp makes the data connection separate from the control connection, so something must permit the SYN of the data connection to pass. natd is able to do this for clients using active-mode ftp, but I don't think it can do it for a server with a passive-mode client. One pragmatic solution is to adjust the range of random tcp ports chosen to a fairly narrow one, and then allow the setup from any to that port range. The real answer is to get rid of ftp, and use something better. For replacing anonymous ftp, http works just as well. scp, sftp or https with passwords will do fine for restricting users and ensuring file integrity. On Mon, Dec 09, 2002 at 04:42:11PM -0500, Peter Brezny wrote: > Yes but then you run into: > DYNAMIC RULES > In order to protect a site from flood attacks involving fake TCP > packets, > it is safer to use dynamic rules: > > ipfw add check-state > ipfw add deny tcp from any to any established > > And also, if you've got an: > add allow all from any to any established > > arn't you sort of setting yourself up. Couldn't someone establish a valid > connection to a valid port, then, have a field day? > > TIA > > Peter Brezny > Skyrunner.net > > > -----Original Message----- > From: Orville R. Weyrich_Jr [mailto:orville@ameriroots.com] > Sent: Monday, December 09, 2002 4:55 PM > To: Peter Brezny > Cc: freebsd-net@FreeBSD.ORG > Subject: Re: passive mode ftp server, need stateful ipfw rule. > > > Isn't that what ESTABLISHED is used for? > > On Mon, 9 Dec 2002, Peter Brezny wrote: > > > Is it possible to create an ipfw ruleset for an ftp server in passive mode > > that figures out which random port the ftp server is going to open to only > > allow the client that initiated the connection to connect to that port? > > > > > > Since the client initiates it's data connection from a random port to the > > new random data port on the passive mode server, i've so far not been able > > to come up with decent firewall rules to protect this type of system. > > > > TIA, > > > > > > Peter Brezny > > Skyrunner.net > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > ---------------------------------------------------------------------------- > --- > Orville R. Weyrich, Jr PhD. KD7HJV > mailto:orville@weyrich.com > ---------------------------------------------------------------------------- > --- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021210005656.GA62054>