Hello! I tried to use the ftp-proxy but had some problems with active-passive mode. I want to use active-mode for the clients to ftp to the proxy. In the netfilter-log I found this: Mar 24 09:34:25 cherry kernel: verw. TCP Paket IN= OUT=ppp0 SRC=82.139.196.116 DST=212.202.67.186 LEN=60 TOS=0x08 PREC=0x00 TTL=64 ID=42628 DF PROTO=TCP SPT=3806 DPT=32896 WINDOW=5664 RES=0x00 SYN URGP=0 It seems passive-mode is used. So I had to explicitly open all high-ports on the firewall: iptables -A OUTPUT -p TCP --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT Is there a way to force active-mode with the ftp-proxy? Thanks in advance! -- Andreas Meyer
Am Mittwoch, 24. März 2004 10:32 schrieb Andreas Meyer:
Hello! Hi Andreas,
I tried to use the ftp-proxy but had some problems with active-passive mode. I want to use active-mode for the clients to ftp to the proxy.
From the client to the Proxy you can change this in your client ftp programm. see pasiv command. From the proxy to the server you dont want to use active ftp. see below.
In the netfilter-log I found this: Mar 24 09:34:25 cherry kernel: verw. TCP Paket IN= OUT=ppp0 SRC=82.139.196.116 DST=212.202.67.186 LEN=60 TOS=0x08 PREC=0x00 TTL=64 ID=42628 DF PROTO=TCP SPT=3806 DPT=32896 WINDOW=5664 RES=0x00 SYN URGP=0
It seems passive-mode is used.
it looks like this is the proxy to server comunication. right ?
So I had to explicitly open all high-ports on the firewall: iptables -A OUTPUT -p TCP --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
Is there a way to force active-mode with the ftp-proxy?
right you have to open the ports for outgoing. in active mode you had to open the > 1023 for incomming. belive me - you dont want this. So your firewall will pass all incomming connections. This is a big hole in your security. for understanding ftp: A command socket is opend client (> 1023) -------> (21) Server If files or listings are transfered: In Passiv (most default mode) client (> 1023) <------- (20 or > 1023) Server in passiv Mode client (> 1023) -------> (> 1023) Server So here the direction of the socket is equal to that of the command channel.
Thanks in advance!
Hope this helps Dirk
* Dirk Roloff;
right you have to open the ports for outgoing. in active mode you had to open the > 1023 for incomming. belive me - you dont want this. So your firewall will pass all incomming connections. This is a big hole in your security.
You can define the port range for both active and passive connections so you only allow these ranges for your ftp services # # The following entries select a port range for client DTP # ports in passive mode, i.e. when the client sends a PASV. # If no port range is given, no bind is performed, in which # case the proxy lets the machine select an ephemeral port. # # PassiveMinDataPort 41000 # PassiveMaxDataPort 41999 Maybe this could help -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
Hi!
Dirk Roloff
I tried to use the ftp-proxy but had some problems with active-passive mode. I want to use active-mode for the clients to ftp to the proxy.
From the client to the Proxy you can change this in your client ftp programm. see pasiv command. From the proxy to the server you dont want to use active ftp. see below.
From the client to the Proxy I am using active ftp. Also I configured ftp-proxy to use the same method for connecting to the serer as the client (default).
The server sits in a private LAN and outgoing traffic is masquerated.
In the netfilter-log I found this: Mar 24 09:34:25 cherry kernel: verw. TCP Paket IN= OUT=ppp0 SRC=82.139.196.116 DST=212.202.67.186 LEN=60 TOS=0x08 PREC=0x00 TTL=64 ID=42628 DF PROTO=TCP SPT=3806 DPT=32896 WINDOW=5664 RES=0x00 SYN URGP=0
It seems passive-mode is used.
it looks like this is the proxy to server comunication. right ?
This is the communication from the firewall running the ftp-proxy after the remote client initiated a controll-conntection to the ftp-proxy. 82.139.196.116 = firewall 212.202.67.186 = remote client (dynamic) I really dont understand why high-ports are used.
So I had to explicitly open all high-ports on the firewall: iptables -A OUTPUT -p TCP --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
Is there a way to force active-mode with the ftp-proxy?
right you have to open the ports for outgoing. in active mode you had to open the > 1023 for incomming. belive me - you dont want this. So your firewall will pass all incomming connections. This is a big hole in your security.
I thought if I want the client to use active mode, the client opens a controll-connection to port 21 and then the server opens a data-connection from port 20 to a high-port of the client. Am I wrong? So in my case I thought the server would contact the ftp-proxy from port 20 to a high-port of the ftp-proxy .... and then? hm, and the ftp-proxy connects from a high-port to the client on a high-port?
for understanding ftp: A command socket is opend client (> 1023) -------> (21) Server
If files or listings are transfered: In Passiv (most default mode) client (> 1023) <------- (20 or > 1023) Server
in passiv Mode client (> 1023) -------> (> 1023) Server So here the direction of the socket is equal to that of the command channel.
hm, I wonder what port are used in this scenario: client(dynamic-remote) -> ftp-proxy(firewall) -> Server(LAN) and then Server(LAN) -> ftp-proxy(firewall) -> client I dont want to use passive-mode because I thought I had to open all related high-ports. I thougth active-mode was a good idea because I can control the data-connection. -- Andreas Meyer
Am Mittwoch, 24. März 2004 17:51 schrieb Andreas Meyer:
Hi! Hi Andreas
ok i missunderstand you - you will use the proxy exactly the other way we do. So you want to use it for incomming ftp sessions. First you can use: # Specify the FTP transfer mode to be used from the proxy to # the server. TransferMode can be active, passive, or client. # The default is "client" which means to use the same as the # client. # DestinationTransferMode active Maybe this is the point you are looking for: # The following entries select a port range for client DTP # ports in active mode, i.e. when the client sends a PORT # command. The default is port 20 as per RFC 959. # ActiveMinDataPort 40000 ActiveMaxDataPort 40999 But be careful - port 20 is a root privileged port. I am not sure if it is handled if the proxy is running under non root - f.e. in inetd mode. Which are you using ? What dose you use in the config ? This is also the reason why some servers don't use port 20 for dataconnections but ports > 1023. So its right that you had to open some or all ports > 1023 for outgoing on ippp0. I highly recomend to use the ipt_ftp (i think this was the name) for statefull inspection of ftp. So the firewall will have a look in the ftp-protokoll looking for a PORT command and open only this port for the data-connection. If you have other servers in you private lan you would like to protect - think about a DMZ. Just put another network card in your "firewall". Put Servers to comunicate with the internet in ther. I wouldn't allow a socket connection ingoing in the private lan. private lan ----|firewall|-----{internet} | | DMZ with ftp, http server or private lan ----| inner wall | ----- DMZ with servers ----- |outer wall| ---- {internet} Just have in mind a server that has contact could be hacked - A second wall to protect other systems may be helpfull. Ok for private use this might be overdressed :-) But i think this is not the right list for this diskussion :-)
Dirk Roloff
wrote: I tried to use the ftp-proxy but had some problems with active-passive mode. I want to use active-mode for the clients to ftp to the proxy.
From the client to the Proxy you can change this in your client ftp programm. see pasiv command. From the proxy to the server you dont want to use active ftp. see below.
From the client to the Proxy I am using active ftp. Also I configured ftp-proxy to use the same method for connecting to the serer as the client (default).
Use active here too !!! You dont want the proxy to open sockets in your private lan,
The server sits in a private LAN and outgoing traffic is masquerated.
In the netfilter-log I found this: Mar 24 09:34:25 cherry kernel: verw. TCP Paket IN= OUT=ppp0 SRC=82.139.196.116 DST=212.202.67.186 LEN=60 TOS=0x08 PREC=0x00 TTL=64 ID=42628 DF PROTO=TCP SPT=3806 DPT=32896 WINDOW=5664 RES=0x00 SYN URGP=0
It seems passive-mode is used.
it looks like this is the proxy to server comunication. right ?
Yes - looks like dataconnection from proxy to client.
This is the communication from the firewall running the ftp-proxy after the remote client initiated a controll-conntection to the ftp-proxy. 82.139.196.116 = firewall 212.202.67.186 = remote client (dynamic) I really dont understand why high-ports are used.
just in mind also al LIST opens a dataconnection. client side port > 1023 is clear. proxy use it if non root or configured.
right you have to open the ports for outgoing. in active mode you had to open the > 1023 for incomming. belive me - you dont want this. So your firewall will pass all incomming connections. This is a big hole in your security.
I thought if I want the client to use active mode, the client opens a controll-connection to port 21 and then the server opens a data-connection from port 20 to a high-port of the client. Am I wrong?
No you are right - this is what RFC 959 is talking about. But again port 20 is only for root - and you aren't running it under root - do you ?
So in my case I thought the server would contact the ftp-proxy from port 20 to a high-port of the ftp-proxy .... and then?
This could be right and maybe not ... because the ftp server has the same problem with port 20. Normaly after login the server is running in user contect .... so no port 20 :-)
hm, and the ftp-proxy connects from a high-port to the client on a high-port?
should be clear now ?
for understanding ftp: A command socket is opend client (> 1023) -------> (21) Server
If files or listings are transfered: In Passiv (most default mode)
^^^^^^^ active i mean - sorry ..
client (> 1023) <------- (20 or > 1023) Server
in passiv Mode client (> 1023) -------> (> 1023) Server So here the direction of the socket is equal to that of the command channel.
hm, I wonder what port are used in this scenario:
client(dynamic-remote) -> ftp-proxy(firewall) -> Server(LAN) client( > 1023 ) to proxy( 21 ) and proxy(>1023) to Server(21)
and then Server(LAN) -> ftp-proxy(firewall) -> client Dataconnection active: Server( > 1023) to proxy( > 1023) and poxy (>1023) to client( >1023)
I dont want to use passive-mode because I thought I had to open all related high-ports. I thougth active-mode was a good idea because I can control the data-connection.
You are right to use active - passive is just usefull for the other way - if you want to use the proxy to go out of your private LAN hope this helps, if any more questions - send your config please. Dirk
Hi!
Dirk Roloff
ok i missunderstand you - you will use the proxy exactly the other way we do. So you want to use it for incomming ftp sessions.
First you can use: # Specify the FTP transfer mode to be used from the proxy to # the server. TransferMode can be active, passive, or client. # The default is "client" which means to use the same as the # client. # DestinationTransferMode active
Did that.
Maybe this is the point you are looking for:
# The following entries select a port range for client DTP # ports in active mode, i.e. when the client sends a PORT # command. The default is port 20 as per RFC 959. # ActiveMinDataPort 40000 ActiveMaxDataPort 40999
Alright, restricted this range to a few numbers and also for established connections in the netfilter and it seems to work!
But be careful - port 20 is a root privileged port. I am not sure if it is handled if the proxy is running under non root - f.e. in inetd mode. Which are you using ? What dose you use in the config ?
The proxy is running as user nobody and group nogroup, standalone. I didn't know that it must run as root to use port 20. If I get the time I'll do some more tests.
This is also the reason why some servers don't use port 20 for dataconnections but ports > 1023. So its right that you had to open some or all ports > 1023 for outgoing on ippp0.
I thought in active-mode the proxy uses port 20 too.
I highly recomend to use the ipt_ftp (i think this was the name) for statefull inspection of ftp. So the firewall will have a look in the ftp-protokoll looking for a PORT command and open only this port for the data-connection.
ipt_LOG 3376 3 (autoclean) ipt_MASQUERADE 1392 1 (autoclean) ipt_state 640 57 (autoclean) iptable_filter 1792 1 (autoclean) ip_conntrack_ftp 3824 1 (autoclean) ip_nat_ftp 2944 0 (unused) iptable_nat 15920 2 [ipt_MASQUERADE ip_nat_ftp] ip_tables 11072 8 [iptable_mangle ipt_LOG ipt_MASQUERADE ipt_state iptable_filter iptable_nat] ip_conntrack 17952 3 [ipt_MASQUERADE ipt_state ip_conntrack_ftp ip_nat_ftp iptable_nat] I don't know why ip_nat_ftp is unused.
If you have other servers in you private lan you would like to protect - think about a DMZ. Just put another network card in your "firewall". Put Servers to comunicate with the internet in ther. I wouldn't allow a socket connection ingoing in the private lan.
private lan ----|firewall|-----{internet} | | DMZ with ftp, http server
or
private lan ----| inner wall | ----- DMZ with servers ----- |outer wall| ---- {internet}
Yes the servers are in a DMZ, like you describe it above. Iptables can be very difficult to understand and setup ...
Just have in mind a server that has contact could be hacked - A second wall to protect other systems may be helpfull. Ok for private use this might be overdressed :-) But i think this is not the right list for this diskussion :-)
Thank you for your patience! You helped a lot! -- Andreas Meyer
participants (3)
-
Andreas Meyer
-
Dirk Roloff
-
Togan Muftuoglu