Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
AW: [suse-security] probs with ftp-masquerading
  • From: "OKDesign oHG Security Administrator" <security@xxxxxxxxxxx>
  • Date: Thu, 24 Jan 2002 00:05:16 +0100
  • Message-id: <FGEALAMNBLCMCJGBFHKOEENHCBAA.security@xxxxxxxxxxx>
Hi Ralf,

thanks for your mails.
In your first answer to my problem you postet two iptables-rules, which you
told as working in your system. Well, I implmented them into my system, they
are accepted, but it doesn't work. I still get no dir-listing. Did you do
anything else besides these two rules ?

About SuSE-Proxy-Suite: Can someone please give me an URL with infos about
this ? I've heard of it, but never had the need to get any deeper into. Now
it seems as if this is necessary (something I absolutely cannot understand,
because with ipchains it was abolutely no problem to get ftp-connect working
without any error. So why shouldn't it also be possible with iptables ?
Sorry, I can't get the point here...).
What exactly is this suite and what exactly is it able to provide ?

Thanks in advance

Stephan

-----Ursprungliche Nachricht-----
Von: Ralf Ronneburger [mailto:ralf@xxxxxxxxxxxxxx]
Gesendet: Mittwoch, 23. Januar 2002 19:34
An: suse-security
Betreff: Re: [suse-security] probs with ftp-masquerading



Right, ftp-redirecting doesn't work, because you oviously don't have the
http-header to analyze for your proxy. Either use squid and set
ftp-proxy or use SuSE-Proxy-Suite, I've never tried the latter but I had
no troubles with squid up to now.

Ralf


Peter Wiersig wrote:

> Am Mittwoch, 23. Januar 2002 18:47 schrieb Stephan:
>
>
>>Von: Alberto Tarantino [mailto:alberto.tarantino@xxxxxxxxxxxx]
>>
>>
>>>I know it might sound like a "dirty trick".. but.. why don't you use port
>>>redirection and Squid as FTP proxy? That might improve security as well
as
>>>be a very easy ti implement solution.
>>>
>>How exactly must this be done ?
>>
>
> I think it won't work.
>
> ftp is a protocol which is a bit harder to manage in a firewall.
>
> I wouldn't try to use port redirection but install a ftp-proxy and
configure
> my client programs to use this proxy.
>
> The firewall rule I would chose would be:
>
> iptables -p tcp -s ! ftpproxy/32 -d 0/0 --dport 21 -j REJECT
>
> and this would only apply to traffic from internal to external networks.
>
> Peter
>
>



--
------------------------------------------------------------
Ralf Ronneburger
ralf@xxxxxxxxxxxxxx

Prefers to receive encrypted Mail, download public-key from
http://www.ronneburger.net/gpg/ralf_ronneburger.asc
------------------------------------------------------------


--
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx



< Previous Next >
Follow Ups
References