Vince Hoang wrote: ...
Hmm. I will have to look into that more. I was always skeptical of ftp shims to simplify firewall configurations. It does seem to raise the bar when used on the server side of the ftp connection.
This is a stateful firewall. It's meant to work this way. If you want to do it by simply allowing ports, you might as well be using ipchains.
FWIW, The latest phrack (Linenoise / Java Tears down the Firewall) mentions how conntrack when used on the client side can be used to circumvent the firewall.
Certainly no worse than a blanket allow on high ports (which many people end up doing). Also, putting a few qualifiers on the RELATED rule can help prevent this. My script restricts RELATED connections (which is what these are) to high ports (above 1024) only. This prevents a crafty server from tricking the conntracker into letting it connect to a system service (since most of them live on low ports) by responding creatively to a PASV command.
You can also do things with source port 20, but not all servers use 20 as the source port for FTP data connections, and you'd want to be able to match the helper anyway (to know the ftp helper allowed it, otherwise blanket deny it as it might be a bounce scan). This can be done (helper match), but it's a kernel patch.
-Vince
--MonMotha -- Optimist: The glass is half full. | PGP Key: 0x1B0390E0 Pessimist: The glass is half empty. | Outgoing mail signed Engineer: The glass is twice as big as it needs to be. | [EMAIL PROTECTED]
pgpyFG4bP4coU.pgp
Description: PGP signature
