On Sat, 24 Nov 2001, Bernd Eckenfels wrote: > On Sat, Nov 24, 2001 at 04:34:49PM +1100, Iain wrote: > > How do you specify a port range for it? > > I just checked it again. In 2.2 it is using the Masquerading Port Range. The > Masquerading Port Range is shared by all Masquerading stuff (even outgoing) > and can be configured hardcoded with 2.2.x: > > linux/include/net/ip_masq.h:#define PORT_MASQ_BEGIN 61000 > linux/include/net/ip_masq.h:#define PORT_MASQ_END (PORT_MASQ_BEGIN+4096) > > > > Anyway, I do not recommend to allow active FTP inside anyway. > > whynot? > > Because this attack is not realy fixed: (and fixing it and some other > culnerabilities require a detailed parsing of the FTP protocol, which can > only be done in an ALG): > > * Protection against the "extended FTP ALG vulnerability". > * This vulnerability was reported in: > * > * > http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-08&[EMAIL > PROTECTED] > * > * The protection here is very simplistic, but it at least denies access > * to all ports under 1024, and allows the user to specify an additional > * list of high ports on the insmod command line, like this: > * noport=x1,x2,x3, ... > * Up to MAX_MASQ_APP_PORTS (normally 12) ports may be specified, the > * default blocks access to the X server (port 6000) only.
The problem is that passive-mode FTP is just as big a hole to the server (it has to allow connections to any high port), and therefore some servers won't allow it. If you need to connect to such a server, then you have to use active-mode ftp. Those servers are relatively rare, because web browsers tend to use only passive-mode ftp (right?) > > Using an Proxy allows you [ at the expense of a more complicated system and extra CPU and disk space ] > to do content filtering, [ read: big brother ] > audit trails, Fully agree. again, keep in mind the aspect of privecy with respect to the generated logs. > better > protocol filtering (against above attack). And for FTP Servers it could also > protect against bugs in serves (actually you need a good FTP Proy for that, > I am still searching for that one :) > Squid and similar http proxies can be a sort-of a ftp-proxy. They can fetch files and directory listings through ftp, but they don't keep sessions open. And when you try to connect to a busy site, opening a new control connection for each directory listing or file fetching will cause many more retries. Those programs are not *real* ftp proxies. (I believe that you can find that clearly stated in squid's FAQ). -- Tzafrir Cohen mailto:[EMAIL PROTECTED] http://www.technion.ac.il/~tzafrir
