FTP (21) data through Firewall (ipchains)

Martijn van Oosterhout kleptog at svana.org
Sat Aug 11 20:43:31 EST 2001

On Sat, Aug 11, 2001 at 07:06:58PM +1000, Neil Pickford wrote:
> Hello
> I have been securing up my server an have established an input
> chain where the default is to deny traffic over the dialup connection
> to my ISP.  Previously the default was allow. (ipchains)
> I have now punched holes in the input chain for just the services
> (ports) that I am using, however how do I handle allowing FTP data
> connections where I have initiated the FTP connection, but FTP 
> chooses a random port number for the data link.  

Well, one solution is to only allow passive FTP, that's easier to firewall.
The ideal solution is to use iptables, where you can match RELATED
connections, thus solving the problem entirly.

> I could open up all TCP ports from 4096 to 65535 but I think 
> that defeats the purpose of the firewall.

You could argue that since no programs listen on those ports normally, they
don't need to be firewalled because any connection to those ports is likely
to be legit (if it succeeds).

> Can anyone point me in the right direction here?

iptables is the real solution, anything else will be a compromise.

> Slackware 2.2.13 using ipchains and masquerade to a private class C
> Only 1 static IP address in use for the server that is running WWW,
> Caching DNS, XNTPD, SMTP & POP3 (all these are working fine)

but iptables is not avaible on 2.2 (unless someone backported it). You could
go for 2.4.

Martijn van Oosterhout <kleptog at svana.org>
> It would be nice if someone came up with a certification system that
> actually separated those who can barely regurgitate what they crammed over
> the last few weeks from those who command secret ninja networking powers.

More information about the linux mailing list