Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: Re: [suse-security] SuSEfirewall2 and Active ftp
From: Steffen Dettmer (steffendett.de)
Date: Thu Jul 17 2003 - 18:08:49 CDT
* Knut Erik Hauslo wrote on Thu, Jul 17, 2003 at 10:48 +0200:
> Without masquerading, and allowed FTP, I only got this working by
> additionally open ports 1024-65535.
Which of course opens all high ports for any attacker. Using port
20 (or 53) as source in attacks is quite common.
> Now, suppose you allow outgoing 20,21 for FTP, you'd also need to open
> incoming high ports. Unfortunately, this parameter does not seem to work
> if you do not masquerade, so you need to add a forwarding rule which
> permits high ports from the outside world. This again leaves those ports
> always open, not only when FTP sessions needs them.
> With masquerading, this worked fine:
> FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21
I do not understand why this allows masqueraded clients to access
active FTP resources. Well, without masq I think the "RELEATED"
option of iptables does the trick. Active FTP through masq
requires somethink like ip_masq_ftp or however it is called these
days (ip_conntrack?), doesn't it?
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here