Hi Martin, Nice, that you're back again. Happy New Year to all list members.
99% of all ftp traffic nowadays is passive, so the data transfer happens from port 21 of the server to port x {x | x >= 1024} of the client. our firewall is implemented with ipchains (subject to change sometime), so it's stateless. blocking all ports above 1024 disables not only ftp but a lot of services such as ssh that make use of the ports 1024+ for the client connection.
philip snizek suggested closing ports 5000 and up, leaving only some 4000 ports for this usage, but that solution is not what i am looking for because it still leaves 4000 ports open for an attack, and what is more important in this situation, it is very possible that some client program tries to establish a connection to a server with the backward connect (server -> client) being something like x -> 5021. in that case then, the connect will mysteriously fail (i DENY packets rather than to REJECT them).
# POLICIES ipchains -P forward DENY # PROXY RULE WWW, FTP, SSL ipchains -A input -p tcp -s 10.0.0.0/24 1024:5000 -d 10.0.0.191/32 8008 -i eth1 -j ACCEPT ipchains -A input -p tcp -s ! 10.0.0.0/24 443 -d 212.232.168.183/32 1024:5000 -i eth0 -j ACCEPT ipchains -A input -p tcp -s ! 10.0.0.0/24 80 -d 212.232.168.183/32 1024:5000 -i eth0 -j ACCEPT ipchains -A input -p tcp -s 212.232.168.180/32 1024: -d 212.232.168.183/32 113 -i eth0 -j ACCEPT # Don't worry guys, there is no auth server running on 212.232.168.183, it's there because of sendmail. I still didn't find a suitable solution to make it faster although I'm sure there is one. ipchains -A input -p tcp -s ! 10.0.0.0/24 20:21 -d 212.232.168.183/32 1024:5000 -i eth0 -j ACCEPT ipchains -A input -p tcp -s ! 10.0.0.0/24 1024: -d 212.232.168.183/32 1024:5000 -i eth0 -j ACCEPT ipchains -A output -p tcp -s 10.0.0.191/32 8008 -d 10.0.0.0/24 1024:5000 -i eth1 -j ACCEPT # DENIALs ipchains -A input -i eth1 -j DENY -l ipchains -A output -i eth1 -j DENY -l ipchains -A input -i eth0 -j DENY -l You all may call me nuts that I post some of my chains of my inner sanctum to the list, but here again how I solved ftp-pasv access. Please don't forget that I run squid in pasv mode, so I can completely deny forward rule for www, ssl and pasv-ftp. Important for your questions are these chains here which are found in the #PROXY RULE WWW,FTP,SSL section. These chains define input from internet to my proxy. ipchains -A input -p tcp -s ! 10.0.0.0/24 20:21 -d 212.232.168.183/32 1024:5000 -i eth0 -j ACCEPT This rule here allows standard ftp as defined in some rfc I don't remember anymore accessing my proxy on ports 1024:5000. I would even reduce it more if I knew how deep I could set it without endangering my ftp life. ipchains -A input -p tcp -s ! 10.0.0.0/24 1024: -d 212.232.168.183/32 1024:5000 -i eth0 -j ACCEPT This rule here defines all stuff that deals with ftp from 1024:. I have only one machine making requests and this is the proxy itself. All other boxes (the internal network are totally 3 PCs) access through port 8008 as you might see above www, ftp and ssl. I can't tell you how this behaves if I had 100 PCs in the internal net. Whether Squid would use 1024: ports to satisfy all requests at once. Maybe it's better we ask somebody who is more experienced than me. CUL Philipp