Date: Tue, 10 Dec 2002 13:40:43 -0500 From: "Peter Brezny" <peter@skyrunner.net> To: "Vincent Jardin" <vjardin@wanadoo.fr>, "Barney Wolff" <barney@tp.databus.com> Cc: "Orville R. Weyrich_Jr" <orville@ameriroots.com>, <freebsd-net@FreeBSD.ORG> Subject: RE: passive mode ftp server, need stateful ipfw rule. Message-ID: <NEBBIGLHNDFEJMMIEGOOIELHFEAA.peter@skyrunner.net> In-Reply-To: <200212100831.45848.vjardin@wanadoo.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
I like the pragmatic solution idea,
How do you adjust the range of random tcp ports chosen if you are using the
stoc ftpd that comes with freebsd.
Of course I'd like to be able to move to sftp or scp or https, but as an isp
with web hosting, the support overhead for all the designers to learn how to
do it would be a bit overwhelming.
What about the -punch_fw option in natd? Has anyone used that before?
from man natd:
-punch_fw basenumber:count
This option directs natd to ``punch holes'' in an
ipfirewall(4) based firewall for FTP/IRC DCC connections.
This is done dynamically by installing temporary firewall
rules which allow a particular connection (and only that
con-
nection) to go through the firewall. The rules are removed
once the corresponding connection terminates.
Thanks again.
Peter Brezny
Skyrunner.net
-----Original Message-----
From: Vincent Jardin [mailto:vjardin@wanadoo.fr]
Sent: Tuesday, December 10, 2002 3:32 AM
To: Barney Wolff; Peter Brezny
Cc: Orville R. Weyrich_Jr; freebsd-net@FreeBSD.ORG
Subject: Re: passive mode ftp server, need stateful ipfw rule.
>
> One pragmatic solution is to adjust the range of random tcp ports
> chosen to a fairly narrow one, and then allow the setup from any to
> that port range.
>
> The real answer is to get rid of ftp, and use something better. For
> replacing anonymous ftp, http works just as well. scp, sftp or https
> with passwords will do fine for restricting users and ensuring file
> integrity.
Another solution is a daemon that could track the control planes of some
specific applicatoins on a divert socket such as ftp, h323, ... then that
add
a dynamic rule about the new TCP/UDP sessions. It is like natd however
without the NAT features.
The performace would remain good because this daemon would work only on the
control plane. The data plane would remain within the kernel and if they
match the "dynamic" firewall rules, they are just forwarded or dropped by
the
kernel.
It would be session tracking firewall ;-)
Vincent
>
> On Mon, Dec 09, 2002 at 04:42:11PM -0500, Peter Brezny wrote:
> > Yes but then you run into:
> > DYNAMIC RULES
> > In order to protect a site from flood attacks involving fake TCP
> > packets,
> > it is safer to use dynamic rules:
> >
> > ipfw add check-state
> > ipfw add deny tcp from any to any established
> >
> > And also, if you've got an:
> > add allow all from any to any established
> >
> > arn't you sort of setting yourself up. Couldn't someone establish a
> > valid connection to a valid port, then, have a field day?
> >
> > TIA
> >
> > Peter Brezny
> > Skyrunner.net
> >
> >
> > -----Original Message-----
> > From: Orville R. Weyrich_Jr [mailto:orville@ameriroots.com]
> > Sent: Monday, December 09, 2002 4:55 PM
> > To: Peter Brezny
> > Cc: freebsd-net@FreeBSD.ORG
> > Subject: Re: passive mode ftp server, need stateful ipfw rule.
> >
> >
> > Isn't that what ESTABLISHED is used for?
> >
> > On Mon, 9 Dec 2002, Peter Brezny wrote:
> > > Is it possible to create an ipfw ruleset for an ftp server in passive
> > > mode that figures out which random port the ftp server is going to
open
> > > to only allow the client that initiated the connection to connect to
> > > that port?
> > >
> > >
> > > Since the client initiates it's data connection from a random port to
> > > the new random data port on the passive mode server, i've so far not
> > > been able to come up with decent firewall rules to protect this type
of
> > > system.
> > >
> > > TIA,
> > >
> > >
> > > Peter Brezny
> > > Skyrunner.net
> > >
> > >
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-net" in the body of the message
> >
>
> -------------------------------------------------------------------------
> >--- ---
> > Orville R. Weyrich, Jr PhD. KD7HJV
> > mailto:orville@weyrich.com
>
> -------------------------------------------------------------------------
> >--- ---
> >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-net" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NEBBIGLHNDFEJMMIEGOOIELHFEAA.peter>