7 messages in org.freebsd.freebsd-securityRe: Firewall and ftp service| From | Sent On | Attachments |
|---|---|---|
| Axel Scheepers | Jul 7, 2001 6:32 am | |
| Crist J. Clark | Jul 7, 2001 11:38 am | |
| tj...@tksoft.com | Jul 8, 2001 3:01 am | |
| Crist J. Clark | Jul 8, 2001 1:06 pm | |
| Tony Landells | Jul 8, 2001 4:28 pm | |
| Axel Scheepers | Jul 9, 2001 12:29 am | |
| tj...@tksoft.com | Jul 9, 2001 4:36 am |
| Subject: | Re: Firewall and ftp service | |
|---|---|---|
| From: | Axel Scheepers (asch...@surf.iae.nl) | |
| Date: | Jul 9, 2001 12:29:21 am | |
| List: | org.freebsd.freebsd-security | |
Thank you all for your help! ;-) I do use kind of a mix of ipf/ipfw/natd at the moment, but that was bacause I wanted it working as fast as possible (Just switched from modem to cable ;-) Now my first "Wow, I want to do ... and ... and .." feelings are over I want to figure out a nice clean way for doing it. So thank you all for your great responses, you've given me a lot of starting points (ipnat instead of natd) and help (ftp howto ;-) Thanks, Axel Scheepers
On Sat, Jul 07, 2001 at 11:38:49AM -0700, Crist J. Clark wrote:
On Sat, Jul 07, 2001 at 03:32:47PM +0200, Axel Scheepers wrote:
I'll say it again, FTP is eeeevul.
Hi everybody, I hope I'm not being really off topic with this one but it's been troubling me for a while now. I'm looking for a way to provide acces to an ftpserver, my current network layout looks like this:
Cable Modem ------> Gateway ---------> http/ftp server | | +------------> private http/ftp/sql server | | +------------> my workstation
The gateway does natd and ipf since the other servers have private adresses.
natd(8) and ipf(8) or natd(8) and ipfw(8)? I'd recommend either using, natd(8) and ipfw(8) or ipnat(8) and ipf(8), and not mixing and matching. There are sometimes reasons to run ipf(8) and ipfw(8) at the same time, but when you need to proxy FTP, there is too much room for confusion and weird interactions.
The problem now is that whenever I connect to my ftp servers from the outside, the server is unable to set up a data connection, because it wants to connect on a port > 1024, which is blocked by my firewall(and I want to leave it that way). Natd does the following: natd -redirect_port tcp 192.168.0.5:20 20 -redirect_port 192.168.0.5:21 21 which redirects the traffic to my public ftp server.
As I see it there can be 2 problems with this setup; 1) The server wants to initiate the data connection at a port > 1024 and/or 2) The server still somehow reports 192.168.0.5 as its address to the clients.
I have tried to connect with the option passive is off, which I thought should force the server to stay on port 21 for tha data connection, but it didn't work. :(
OK, one more time on how FTP generally works. Everyone knows the client connects to the server on port 21. That's easy. Now as for the data connection, there are two modes, PORT (active) and PASV (passive). In PORT, the client tells the server what port it will be listening on and the _server_ then (usually) connects to the _client_ with a source port of 20 and the arbitrary high port ("ephermeral") the client gave the server as the destination. In PASV, the server tells the client what port it will be listening on, usually an arbitrary high, ephermeral port, and the client then connects with a ephemeral port source to the ephemeral destination. And we should point out that in both modes the server and client are passing not only the port number back and forth, but actually the IP address to connect to as well.
So, the moral of the story is that FTP is an absolute bitch to work with if you have a firewall or NAT'ing gateway between the client and server. You need an application layer proxy for the connection. Redirection alone will not cut it.
Can/will somebody help on getting this done the proper way ? I just want to use ipfilter, if possible, and I don't like to install a ftp proxy for this.
Oops. You are really using ipf(8). IPFilter has an FTP proxy built-in. However, use ipnat(8) and not natd(8) with ipf(8).
-- Crist J. Clark cjcl...@alum.mit.edu
-- Met vriendelijke groet, VIA NET.WORKS Nederland
Axel Scheepers Operations phone +31 40 239 33 93 fax +31 40 239 33 11 e-mail eind...@vianetworks.nl http://www.vianetworks.nl/
To Unsubscribe: send mail to majo...@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message