Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: AW: [suse-security] probs with ftp-masquerading
  • From: Ralf Ronneburger <ralf@xxxxxxxxxxxxxx>
  • Date: Thu, 24 Jan 2002 00:10:13 +0100
  • Message-id: <3C4F42D5.1050605@xxxxxxxxxxxxxx>
Hi Stephan,

I have no SuSE-Firewall or Personal-firewall or whatever running! When you adapt these scripts to your setup then (External interface, internal interface) they'll work! I use them on two completely different networks (with slight adaption).

Best regards,

Ralf

P.S.: As we're living in the same country - if you still don't get it working - how about "Telefonseelsorge" (telephone-care)? :-)



OKDesign oHG Security Administrator wrote:

Hi Ralf,

thanks for your mails.
In your first answer to my problem you postet two iptables-rules, which you
told as working in your system. Well, I implmented them into my system, they
are accepted, but it doesn't work. I still get no dir-listing. Did you do
anything else besides these two rules ?

About SuSE-Proxy-Suite: Can someone please give me an URL with infos about
this ? I've heard of it, but never had the need to get any deeper into. Now
it seems as if this is necessary (something I absolutely cannot understand,
because with ipchains it was abolutely no problem to get ftp-connect working
without any error. So why shouldn't it also be possible with iptables ?
Sorry, I can't get the point here...).
What exactly is this suite and what exactly is it able to provide ?

Thanks in advance

Stephan

-----Ursprungliche Nachricht-----
Von: Ralf Ronneburger [mailto:ralf@xxxxxxxxxxxxxx]
Gesendet: Mittwoch, 23. Januar 2002 19:34
An: suse-security
Betreff: Re: [suse-security] probs with ftp-masquerading



Right, ftp-redirecting doesn't work, because you oviously don't have the
http-header to analyze for your proxy. Either use squid and set
ftp-proxy or use SuSE-Proxy-Suite, I've never tried the latter but I had
no troubles with squid up to now.

Ralf


Peter Wiersig wrote:


Am Mittwoch, 23. Januar 2002 18:47 schrieb Stephan:



Von: Alberto Tarantino [mailto:alberto.tarantino@xxxxxxxxxxxx]



I know it might sound like a "dirty trick".. but.. why don't you use port
redirection and Squid as FTP proxy? That might improve security as well

as

be a very easy ti implement solution.


How exactly must this be done ?


I think it won't work.

ftp is a protocol which is a bit harder to manage in a firewall.

I wouldn't try to use port redirection but install a ftp-proxy and

configure

my client programs to use this proxy.

The firewall rule I would chose would be:

iptables -p tcp -s ! ftpproxy/32 -d 0/0 --dport 21 -j REJECT

and this would only apply to traffic from internal to external networks.

Peter






--
------------------------------------------------------------
Ralf Ronneburger
ralf@xxxxxxxxxxxxxx

Prefers to receive encrypted Mail, download public-key from
http://www.ronneburger.net/gpg/ralf_ronneburger.asc
------------------------------------------------------------


--
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx







--
------------------------------------------------------------
Ralf Ronneburger
ralf@xxxxxxxxxxxxxx

Prefers to receive encrypted Mail, download public-key from
http://www.ronneburger.net/gpg/ralf_ronneburger.asc
------------------------------------------------------------


< Previous Next >