On Fri, Jan 10, 2003 at 07:14:18PM -0500, MonMotha wrote: > This is a stateful firewall. It's meant to work this way. If > you want to do it by simply allowing ports, you might as well > be using ipchains.
Agreed. Using connection tracking for ftp does offer more protection than a stateless ipchains configuration. I did not mean to confuse the issue. > Certainly no worse than a blanket allow on high ports (which > many people end up doing). Also, putting a few qualifiers on > the RELATED rule can help prevent this. My script restricts > RELATED connections (which is what these are) to high ports > (above 1024) only. This prevents a crafty server from tricking > the conntracker into letting it connect to a system service > (since most of them live on low ports) by responding creatively > to a PASV command. My memory must be failing. Looking back at my homebrew iptables script, it _does_ use ip_conntrack_ftp and RELATED flags for ftp. (I also allow use ip_local_port_range to reduce the ephemeral port range and accept ftp only from a small range of addresses.) I do feel more comfortable about a firewall if it did not have to protect an ftp server. A less schizophrenic protocol such as http requires a single pair of src/dst ip/port. I can trust the state established by that protocol more than that of ftp by several orders of magnitude. -Vince