[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[2]: [suse-security] SuSEfirewall2 and Active ftp

To: suse-security@xxxxxxxx
Subject: Re: Re[2]: [suse-security] SuSEfirewall2 and Active ftp
From: Steffen Dettmer <steffen@xxxxxxx>
Date: Fri, 18 Jul 2003 01:08:49 +0200
Delivered-to: mailing list suse-security@xxxxxxxx
Delivery-date: Fri, 18 Jul 2003 11:02:51 +0200
Envelope-to: suse@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In-reply-to: <876E796441495649AB4AE82092A0784A3D8D5A@xxxxxxxxxxxxxx>; from KNUTH@xxxxxxxxxxxx on Thu, Jul 17, 2003 at 10:48:23AM +0200
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm
References: <876E796441495649AB4AE82092A0784A3D8D5A@xxxxxxxxxxxxxx>
Reply-to: Steffen Dettmer <steffen@xxxxxxx>
User-agent: Mutt/1.2.5i

* Knut Erik Hauslo wrote on Thu, Jul 17, 2003 at 10:48 +0200:
> Without masquerading, and allowed FTP, I only got this working by
> additionally open ports 1024-65535. 

Which of course opens all high ports for any attacker. Using port
20 (or 53) as source in attacks is quite common.

> Now, suppose you allow outgoing 20,21 for FTP, you'd also need to open
> incoming high ports. Unfortunately, this parameter does not seem to work
> if you do not masquerade, so you need to add a forwarding rule which
> permits high ports from the outside world. This again leaves those ports
> always open, not only when FTP sessions needs them.
> 
> With masquerading, this worked fine:
>   FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21
> 172.19.0.0/16,0/0,tcp,80"
>   FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"
>   FW_TRUSTED_NETS=""
>   FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"

I do not understand why this allows masqueraded clients to access
active FTP resources. Well, without masq I think the "RELEATED"
option of iptables does the trick. Active FTP through masq
requires somethink like ip_masq_ftp or however it is called these
days (ip_conntrack?), doesn't it?

oki,

Steffen

-- 
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

Follow-Ups:
- [suse-security] Re: SuSEfirewall2 and Active ftp
  - From: Stefan Andreas Tichy

References:
- RE: Re[2]: [suse-security] SuSEfirewall2 and Active ftp
  - From: Knut Erik Hauslo

Prev by Date: Re: [suse-security] unix named socket
Next by Date: RE: Re[2]: [suse-security] SuSEfirewall2 and Active ftp
Previous by thread: Re[4]: [suse-security] SuSEfirewall2 and Active ftp
Next by thread: [suse-security] Re: SuSEfirewall2 and Active ftp
Index(es):
- Date
- Thread