Nicholas J. Leon wrote:
> I must have been missing something.
>
> So when a client goes into PASV mode (like all web browsers do), it then
> attempts a <CLIENT:*> to <SERVER:*> connection? Unlike non-PASV mode which
> would open up a <SERVER:ftp-data> to <CLIENT:*> Correct?
Correct.
> This is good for NAT and Masquerading, but what about firewalls?
This is also good for firewalls. With active mode, the client would
have to be able to accept inbound connections, which is rather awkward
if it is behind a firewall.
> So, you have to open up all ports > 1024 on your ftp server incoming from
> the outside? Just to support PASV.
Yep. With active mode, *every* client has to open up all ephemeral
ports.
> Of course, with normal connection, at
> least you can open them up only to ftp-data sourced packets.
Which is no more secure than just opening up every ephemeral port.
Hint: if you want to break in to a system which is behind a firewall,
use port 20 as the source port. It's not exactly unheard of for people
to misconfigure firewalls to allow traffic from port 20 which would
otherwise be denied.
> Is that true? Whats the tightest (and fully functional) firewall rules for
> ftp servers?
Don't block inbound connections to ephemeral ports. Just block any
specific ephemeral ports which you happen to be using (e.g. rpc.nfsd,
rpc.mountd, X servers).
Some ftp daemons can use a specific range of ports for data
connections. The ftpaccess(5) manpage for wu-ftpd-2.4.2-beta-18-vr13
says:
passive ports <cidr> <min> <max>
Allows control of the TCP port numbers which may be
used for a passive data connection. If the control
connection matches the <cidr> a port in the range
<min> to <max> will be randomly selected for the dae
mon to listen on. This feature allows firewalls to
limit the ports which remote clients may use to
connect into the protected network.
<cidr> is shorthand for an IP address in dotted-quad nota
tion followed by a slash and the number of left-most bits
which represent the network address (as opposed to the
machine address). For example, if you're using the
reserved class-A network 10, instead of a netmask of
255.0.0.0 use a CIDR of /8 as in 10.0.0.0/8 to represent
your network.
In this case, you only need open the appropriate range of ports.
--
Glynn Clements <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
