Hi list, I'm currently wondering about the problem with firewalling FTP traffic. I thought I knew about the way a FTP transfer goes on, so I created the following ipchains rules to enable FTP connections from inside to outside: ipchains -A input -p TCP -s 0.0.0.0/0 21 -d <MyServerIP> ! 0:1023 ! -y -i eth1 -j ACCEPT ipchains -A input -p TCP -s 0.0.0.0/0 20 -d <MyServerIP> ! 0:1023 -i eth1 -j ACCEPT That works properly untill I recognized, that some FTP connections use only ports over 1023 as source and destination in both directions as well for control as data. As it seems to be random ports, the only way I saw, to enable FTP through my firewall, was to add the following rule: ipchains -A input -p TCP -s 0.0.0.0/0 ! 0:1023 -d <MyServerIP> ! 0:1023 ! -y -i eth1 -j ACCEPT Because I really don't like that kind of very unspecific rule, my question to you is: Is this really the only way to control FTP transfer with ipchains firewall and if not what's the alternative, which is more secure? Thanks in advance, best regards and sorry for my poor english, Matthias Lenhardt -- <<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>> Matthias Lenhardt - Software Ingenieur mail:mlenhardt@inonet.com InoNet Computer GmbH http://www.inonet.com/ Computers are like air conditioners: They stop working properly if you open windows. <<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>
FTP is a total pain in the arse to firewall since there are incoming connections from the server/etc. Things that will help: Use an FTP proxy such as squid on the gateway server. Read Kurt's Closet on November 1 (sorry, you'll have to wait =) as I discuss some problems/features/solutions for this type of thing in Linux. Upgrade to 2.4 which has a stateful packet filter. Kurt Seifried - seifried@securityportal.com SecurityPortal, your focal point for security on the net http://www.securityportal.com/
participants (2)
-
Kurt Seifried
-
Matthias Lenhardt