RE: Re[2]: [suse-security] SuSEfirewall2 and Active ftp
The problem with FTP is, that at some point during the communication, FTP Client and FTP Server "agreee" on using a different port than 21 and 20 TCP. If you use a sniffer you would see that the FTP client sends packets on destination port 21 with source port > 1024. When transfer starts the FTP clients send a port request on which port to use for transfer. In most cases this is source port + 1. With the sniffer, at some point you will see (provided you use normal FTP an not passive) something like this "PORT 12,34,56,78,65,43". This means the client will listen on ip address 12.34.56.78 on Port 16683 for the data channel. (NOTE: the port is the 65,43 pair and is calculated like this: (65x256)+43=16683). Without masquerading, and allowed FTP, I only got this working by additionally open ports 1024-65535. Now, suppose you allow outgoing 20,21 for FTP, you'd also need to open incoming high ports. Unfortunately, this parameter does not seem to work if you do not masquerade, so you need to add a forwarding rule which permits high ports from the outside world. This again leaves those ports always open, not only when FTP sessions needs them. With masquerading, this worked fine: FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21 172.19.0.0/16,0/0,tcp,80" FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" Cheers
Hello Knut, ok, but the data transfer from the ftp-server does originate from port 20. So why can´t I just tell the firewall to accept packets from the ftp-server which originate at port 20 and are targeted to my client? After reading a bit through the SuSEfirewall2 script I found that such a rule is indeed inserted: from #SuSEfirwall2 status assuming the client has 10.1.1.1 and the ftp-server 192.168.0.1): 0 0 ACCEPT tcp -- * * 10.1.1.1 192.168.0.1 state NEW,RELATED,ESTABLISHED tcp dpt:20 0 0 ACCEPT tcp -- * * 192.168.0.1 10.1.1.1 state RELATED,ESTABLISHED tcp spt:20 flags:!0x16/0x02 Now if I insert a similar rule just without the flags:... part: 0 0 ACCEPT tcp -- * * 192.168.0.1 10.1.1.1 state RELATED,ESTABLISHED tcp spt:20 Then it works. What is this flags... thing for? -- Best regards, André mailto:Andre.Saenger@gmx.de
* Knut Erik Hauslo wrote on Thu, Jul 17, 2003 at 10:48 +0200:
Without masquerading, and allowed FTP, I only got this working by additionally open ports 1024-65535.
Which of course opens all high ports for any attacker. Using port 20 (or 53) as source in attacks is quite common.
Now, suppose you allow outgoing 20,21 for FTP, you'd also need to open incoming high ports. Unfortunately, this parameter does not seem to work if you do not masquerade, so you need to add a forwarding rule which permits high ports from the outside world. This again leaves those ports always open, not only when FTP sessions needs them.
With masquerading, this worked fine: FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21 172.19.0.0/16,0/0,tcp,80" FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
I do not understand why this allows masqueraded clients to access active FTP resources. Well, without masq I think the "RELEATED" option of iptables does the trick. Active FTP through masq requires somethink like ip_masq_ftp or however it is called these days (ip_conntrack?), doesn't it? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Fri, Jul 18, 2003 at 01:08:49AM +0200, Steffen Dettmer wrote:
I do not understand why this allows masqueraded clients to access active FTP resources. Well, without masq I think the "RELEATED" option of iptables does the trick.
It does ( if ip_conntrack_ftp is loaded ) Active FTP may go beyond the scope of the SuSEfirewall2 tool. It's just an assumption. I never used SuSEfirewall2. Is it an option for you to use iptables without that SuSE tool? -- Stefan Tichy <listuser@pi4tel.de>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, On Friday 18 July 2003 13:55, Stefan Andreas Tichy wrote:
On Fri, Jul 18, 2003 at 01:08:49AM +0200, Steffen Dettmer wrote:
I do not understand why this allows masqueraded clients to access active FTP resources. Well, without masq I think the "RELEATED" option of iptables does the trick.
It does ( if ip_conntrack_ftp is loaded )
Active FTP may go beyond the scope of the SuSEfirewall2 tool. It's just an assumption. I never used SuSEfirewall2. Is it an option for you to use iptables without that SuSE tool? Why do you not take a look at Shorewall you can mix iptable commands with simple easy type rules. You can find it at http://www.shorewall.net/
Ian - -- A child of five would understand this. Send someone to fetch a child of five. Groucho Marx - ---------------------------------------------------- This mail has been scanned for virus by AntiVir for UNIX Copyright (C) 1994-2003 by H+BEDV Datentechnik GmbH. PGP ID: 589F8449 Fingerprint: EB1C FACF 6BEB 540E 8AC0 F04E 2A25 A2F1 589F 8449 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE/F/p+KiWi8VifhEkRAqQuAKCgTMvWZV1XYKcTSAQFFsxplmrsdACfWLMS fQCKTxOG0+WUi7p7O3oqEP0= =N4al -----END PGP SIGNATURE-----
Hello Ian, Friday, July 18, 2003, 3:47:30 PM, you wrote:
I do not understand why this allows masqueraded clients to access active FTP resources. Well, without masq I think the "RELEATED" option of iptables does the trick.
It does ( if ip_conntrack_ftp is loaded )
It is.
Active FTP may go beyond the scope of the SuSEfirewall2 tool. It's just an assumption. I never used SuSEfirewall2. Is it an option for you to use iptables without that SuSE tool? Why do you not take a look at Shorewall you can mix iptable commands with simple easy type rules. You can find it at http://www.shorewall.net/
I wanted to keep it simple and so use the SuSE supplied script which is already working on two other setups (which are not that complex as in this case). Shorewall may be an option, but I´m still curious what this flags thing is for: Rule created by SuSEfirewall2 which does _not_ work with unmasqued active ftp-connections: 0 ACCEPT tcp -- * * 192.168.0.1 10.1.1.1 state RELATED,ESTABLISHED tcp spt:20 flags:!0x16/0x02 A rule without the "flags:!0x16/0x02" part does the job. Maybe you can point me to some howto what this flags things are and why they are used by SuSEfirewall2 by default? -- Best regards, André mailto:Andre.Saenger@gmx.de
On Thu, Aug 14, 2003 at 03:56:07PM +0200, André Sänger wrote:
Rule created by SuSEfirewall2 which does _not_ work with unmasqued active ftp-connections: 0 ACCEPT tcp -- * * 192.168.0.1 10.1.1.1 state RELATED,ESTABLISHED tcp spt:20 flags:!0x16/0x02
A rule without the "flags:!0x16/0x02" part does the job. Maybe you can point me to some howto what this flags things are and why they are used by SuSEfirewall2 by default?
You get theese flags if there is a rule specification "! --syn" (or the equivalent --tcp-flags as described in iptables(8)). It looks strange to me, because the SYN paket is what has to be treated special if active ftp should work. Maybe someone mixed it up and inverted the test? -- Stefan Tichy <listuser@pi4tel.de>
participants (5)
-
André Sänger -
Ian David Laws -
Knut Erik Hauslo -
Stefan Andreas Tichy -
Steffen Dettmer