[opensuse-security] SuSEfirewall2 on an FTP server
Hello, I have problems setting up SuSEfirewall2 on a server with openSUSE 11.0 and vsftpd running. The problem is that I didn't find out the correct configuration for FTP - I can login using a FTP client, but when I try to upload files or request a directory listing, I clash with the firewall :-( /var/log/firewall reports: Nov 5 15:18:22 server kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=... SRC=... DST=... LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=41696 DF PROTO=TCP SPT=56320 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (0402080A0008693000000000020405B401030306) Nov 5 15:18:26 server kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=... SRC=... DST=... LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=24251 DF PROTO=TCP SPT=46127 DPT=35967 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (0402080A00086D3900000000020405B401030306) Nov 5 15:18:29 server kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=... SRC=... DST=... LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=24252 DF PROTO=TCP SPT=46127 DPT=35967 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (0402080A0008702700000000020405B401030306) Nov 5 15:18:35 server kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=... SRC=... DST=... LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=24253 DF PROTO=TCP SPT=46127 DPT=35967 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (0402080A0008760300000000020405B401030306) (SRC is always the FTP client, DST is always the server) Firewall settings: grep '^[^#]' /etc/sysconfig/SuSEfirewall2 FW_DEV_EXT="any eth0" FW_DEV_INT="" FW_DEV_DMZ="" FW_ROUTE="no" FW_MASQUERADE="no" FW_MASQ_DEV="zone:ext" FW_MASQ_NETS="0/0" FW_NOMASQ_NETS="" FW_PROTECT_FROM_INT="no" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_CONFIGURATIONS_EXT="apache2 apache2-ssl courier-imap courier-imap-ssl postfix vsftpd" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_CONFIGURATIONS_DMZ="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_INT_RPC="" FW_CONFIGURATIONS_INT="" FW_SERVICES_DROP_EXT="" FW_SERVICES_DROP_DMZ="" FW_SERVICES_DROP_INT="" FW_SERVICES_REJECT_EXT="" FW_SERVICES_REJECT_DMZ="" FW_SERVICES_REJECT_INT="" FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,,hitcount=5,blockseconds=300,recentname=ssh" FW_SERVICES_ACCEPT_DMZ="" FW_SERVICES_ACCEPT_INT="" FW_SERVICES_ACCEPT_RELATED_EXT="" FW_SERVICES_ACCEPT_RELATED_DMZ="" FW_SERVICES_ACCEPT_RELATED_INT="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_ALLOW_INCOMING_HIGHPORTS_UDP="" FW_FORWARD="" FW_FORWARD_REJECT="" FW_FORWARD_DROP="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG_LIMIT="" FW_LOG="" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_SOURCEQUENCH="" FW_ALLOW_FW_BROADCAST_EXT="no" FW_ALLOW_FW_BROADCAST_INT="no" FW_ALLOW_FW_BROADCAST_DMZ="no" FW_IGNORE_FW_BROADCAST_EXT="yes" FW_IGNORE_FW_BROADCAST_INT="no" FW_IGNORE_FW_BROADCAST_DMZ="no" FW_ALLOW_CLASS_ROUTING="" FW_CUSTOMRULES="" FW_REJECT="" FW_REJECT_INT="yes" FW_HTB_TUNE_DEV="" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="" FW_IPSEC_TRUST="no" FW_ZONES="" FW_USE_IPTABLES_BATCH="" FW_LOAD_MODULES="ip_conntrack_ftp" FW_FORWARD_ALWAYS_INOUT_DEV="" FW_FORWARD_ALLOW_BRIDGING="" Settings that are dropped in via FW_CONFIGURATIONS_EXT: # grep '^[^#]' apache2 apache2-ssl courier-imap courier-imap-ssl \ postfix vsftpd apache2:TCP="http" apache2:UDP="http" apache2:RPC="" apache2:IP="" apache2:BROADCAST="" apache2-ssl:TCP="https" apache2-ssl:UDP="https" apache2-ssl:RPC="" apache2-ssl:IP="" apache2-ssl:BROADCAST="" courier-imap:TCP="imap pop3" courier-imap:UDP="" courier-imap:RPC="" courier-imap:IP="" courier-imap:BROADCAST="" courier-imap-ssl:TCP="imaps pop3s" courier-imap-ssl:UDP="" courier-imap-ssl:RPC="" courier-imap-ssl:IP="" courier-imap-ssl:BROADCAST="" postfix:TCP="25 465" postfix:UDP="" postfix:RPC="" postfix:IP="" postfix:BROADCAST="" vsftpd:TCP="ftp ftp-data" vsftpd:UDP="ftp-data" vsftpd:RPC="" vsftpd:IP="" vsftpd:BROADCAST="" # lsmod |grep conn nf_conntrack_ipv6 36424 0 nf_conntrack_ftp 27320 0 nf_conntrack_ipv4 29576 3 iptable_nat,nf_nat nf_conntrack 91536 6 nf_conntrack_ipv6,xt_state,iptable_nat, nf_nat,nf_conntrack_ftp,nf_conntrack_ipv4 ipv6 331544 31 ip6t_REJECT,nf_conntrack_ipv6,ip6table_mangle What do I have to change in my configuration to allow FTP through the firewall? Regards, Christian Boltz --
[GMX] Laut Heise-Newsticker machen die eine Migration irgendwelcher Datenbestände ...Migration? Von /dev/hda nach /dev/null? [> Jan Trippler und Ratti in suse-linux] -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hello,
I have problems setting up SuSEfirewall2 on a server with openSUSE 11.0 and vsftpd running.
The problem is that I didn't find out the correct configuration for FTP - I can login using a FTP client, but when I try to upload files or request a directory listing, I clash with the firewall :-(
[...]
What do I have to change in my configuration to allow FTP through the firewall?
you will have to disable the filters. The reason is comparatively simple: the ftp protocol opens a TCP connection for each file transfer, even a for a directory listing. There are two modes: PORT mode: The ftp server opens the data connection to the client, and usually uses source port 20. passive mode: The client opens the data connection to the server, ports are undetermined. If you just make sure that your system doesn't listen on ports that it doesn't need to, you should be safe without the filters. Use "netstat -anpl" and a port scanner to check.
Regards,
Christian Boltz
Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // The mistakes you regret the most in | Security Architect // your life are the ones you didn't | Novell - SUSE Linux // commit when you had the chance. (HR) | - -
Roman Drahtmueller wrote:
I have problems setting up SuSEfirewall2 on a server with openSUSE 11.0 and vsftpd running.
The problem is that I didn't find out the correct configuration for FTP - I can login using a FTP client, but when I try to upload files or request a directory listing, I clash with the firewall :-(
[...]
What do I have to change in my configuration to allow FTP through the firewall?
you will have to disable the filters. The reason is comparatively simple: the ftp protocol opens a TCP connection for each file transfer, even a for a directory listing.
Both vsftpd and pure-ftpd allow to configure a port range used for passive mode. You can open that port range in the firewall than. Normally random ports are used for passive mode which indeed is hard to filter. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hello, Am Mittwoch, 5. November 2008 schrieb Ludwig Nussel:
Roman Drahtmueller wrote:
I have problems setting up SuSEfirewall2 on a server with openSUSE 11.0 and vsftpd running.
The problem is that I didn't find out the correct configuration for FTP - I can login using a FTP client, but when I try to upload files or request a directory listing, I clash with the firewall :-(
you will have to disable the filters. The reason is comparatively simple: the ftp protocol opens a TCP connection for each file transfer, even a for a directory listing.
Both vsftpd and pure-ftpd allow to configure a port range used for passive mode. You can open that port range in the firewall than. Normally random ports are used for passive mode which indeed is hard to filter.
Thanks for your feedback. Opening a limited port range sounds like an acceptable solution. However, I wonder about two things: - shouldn't the nf_conntrack_ftp module handle this and open the needed highport automatically? - why does FTP work on a 10.2 server without opening a port range? (I use ip_conntrack_ftp there) Regards, Christian Boltz -- Ein Admin ist wie ein Tierpfleger er muss mir eNTen Pinguinen und Daemonen (ähm habe ich irgendwie noch in keinem Zoo gesehen) umgehen können, eNTen sind aber besonders gefährlich und unberechenbar, beim Putzen sollte man da schon aufpassen das man sich keinen Wurm einfängt[........] [D. Aubry] -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Christian Boltz wrote:
Am Mittwoch, 5. November 2008 schrieb Ludwig Nussel:
Roman Drahtmueller wrote:
I have problems setting up SuSEfirewall2 on a server with openSUSE 11.0 and vsftpd running.
The problem is that I didn't find out the correct configuration for FTP - I can login using a FTP client, but when I try to upload files or request a directory listing, I clash with the firewall :-(
you will have to disable the filters. The reason is comparatively simple: the ftp protocol opens a TCP connection for each file transfer, even a for a directory listing.
Both vsftpd and pure-ftpd allow to configure a port range used for passive mode. You can open that port range in the firewall than. Normally random ports are used for passive mode which indeed is hard to filter.
Thanks for your feedback. Opening a limited port range sounds like an acceptable solution.
However, I wonder about two things: - shouldn't the nf_conntrack_ftp module handle this and open the needed highport automatically? - why does FTP work on a 10.2 server without opening a port range? (I use ip_conntrack_ftp there)
Didn't you read the release notes? :-) See FW_SERVICES_ACCEPT_RELATED_EXT. In previous releases RELATED packets were accepted unconditionally. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hello, Am Mittwoch, 5. November 2008 schrieb Ludwig Nussel:
Christian Boltz wrote:
However, I wonder about two things: - shouldn't the nf_conntrack_ftp module handle this and open the needed highport automatically? - why does FTP work on a 10.2 server without opening a port range? (I use ip_conntrack_ftp there)
Didn't you read the release notes? :-)
Usually I do, but I must have missed this part. Or I forgot about it in the meantime - 11.0 is quite old, at least for people who do their daiy work on a 11.1 beta4 ;-)
See FW_SERVICES_ACCEPT_RELATED_EXT. In previous releases RELATED packets were accepted unconditionally.
Ah, that's it. Thanks for the pointer! I think I have found a working configuration now, at least it worked on a first test: /etc/vsftpd.conf: pasv_min_port=20000 pasv_max_port=21000 /etc/sysconfig/SuSEfirewall2: FW_SERVICES_ACCEPT_RELATED_EXT="0/0,tcp,,20000:21000" Regards, Christian Boltz -- dd ist es herzlich egal was fuer ein FS auf der Platte ist es kopiert die Platte mit Haut und Haaren. [Ruediger Meier in suse-linux] -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (3)
-
Christian Boltz -
Ludwig Nussel -
Roman Drahtmueller