|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Re[2]: [suse-security] SuSEfirewall2 and Active ftp
From: Steffen Dettmer (steffen
dett.de)
Date: Thu Jul 17 2003 - 18:08:49 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
* Knut Erik Hauslo wrote on Thu, Jul 17, 2003 at 10:48 +0200:
> Without masquerading, and allowed FTP, I only got this working by
> additionally open ports 1024-65535.
Which of course opens all high ports for any attacker. Using port
20 (or 53) as source in attacks is quite common.
> Now, suppose you allow outgoing 20,21 for FTP, you'd also need to open
> incoming high ports. Unfortunately, this parameter does not seem to work
> if you do not masquerade, so you need to add a forwarding rule which
> permits high ports from the outside world. This again leaves those ports
> always open, not only when FTP sessions needs them.
>
> With masquerading, this worked fine:
> FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21
> 172.19.0.0/16,0/0,tcp,80"
> FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"
> FW_TRUSTED_NETS=""
> FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
I do not understand why this allows masqueraded clients to access
active FTP resources. Well, without masq I think the "RELEATED"
option of iptables does the trick. Active FTP through masq
requires somethink like ip_masq_ftp or however it is called these
days (ip_conntrack?), doesn't it?
oki,
Steffen
--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]