FTP (21) data through Firewall (ipchains)
Neil Pickford
neilp at goldweb.com.au
Sun Aug 12 02:12:30 EST 2001
Thanks
Unfortunately I'm not ready to move to 2.4.x yet.
I have decided to create a script to enable and disable
the ftp-data ports from 1024:65535 when I need them.
Just a bit more hassle.
Neil Pickford
Martijn van Oosterhout wrote:
>
> On Sat, Aug 11, 2001 at 07:06:58PM +1000, Neil Pickford wrote:
> > Hello
> >
> > I have been securing up my server an have established an input
> > chain where the default is to deny traffic over the dialup connection
> > to my ISP. Previously the default was allow. (ipchains)
> >
> > I have now punched holes in the input chain for just the services
> > (ports) that I am using, however how do I handle allowing FTP data
> > connections where I have initiated the FTP connection, but FTP
> > chooses a random port number for the data link.
>
> Well, one solution is to only allow passive FTP, that's easier to firewall.
> The ideal solution is to use iptables, where you can match RELATED
> connections, thus solving the problem entirly.
>
> > I could open up all TCP ports from 4096 to 65535 but I think
> > that defeats the purpose of the firewall.
>
> You could argue that since no programs listen on those ports normally, they
> don't need to be firewalled because any connection to those ports is likely
> to be legit (if it succeeds).
>
> > Can anyone point me in the right direction here?
>
> iptables is the real solution, anything else will be a compromise.
>
> > Slackware 2.2.13 using ipchains and masquerade to a private class C
> > Only 1 static IP address in use for the server that is running WWW,
> > Caching DNS, XNTPD, SMTP & POP3 (all these are working fine)
>
> but iptables is not avaible on 2.2 (unless someone backported it). You could
> go for 2.4.
>
> HTH,
> --
> Martijn van Oosterhout <kleptog at svana.org>
> http://svana.org/kleptog/
> > It would be nice if someone came up with a certification system that
> > actually separated those who can barely regurgitate what they crammed over
> > the last few weeks from those who command secret ninja networking powers.
More information about the linux
mailing list