OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jedi/Sector One (jpureftpd.org)
Date: Mon Dec 03 2001 - 17:26:17 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Mon, Dec 03, 2001 at 11:46:12PM +0100, Carsten Menke wrote:
    > how to get
    > ftp-proxy working with a strong ruleset (I mean a very restrictive,
    > secure ruleset).

      If it can help, here's the ruleset of my nat gateway. Just change the two
    lines below "Outgoing connections from the internal network" to only allow
    some ports if you want your internal network to only access http and ftp.

      ftp-proxy is just launched with a timeout and in anon-only mode, listening
    to port 8081. :
      
                                ftp-proxy -A -t 2520
                                
      (warning: -A has a bug that was just fixed in the current CVS)
      
      Ports 49151-65535 are reserved for active sessions coming from the local
    network, and relayed by ftp-proxy.

    > Basicly, I try to succeed with ftp-proxy to open as less ports as
    > possible

      The less port you open for FTP data, the more you are vulnerable to
    hijacking. If the NAT gateway has absolutely no service running on
    non-privileged ports, and if your firewall is properly configured to only
    accept these ports to the gateway IP, you can safely open a lot of ports.

      Best regards,
      
                -Frank.
    # Firewall rules - Jedi/Sector One <j4u.net>

    EXT = "vr0"
    INT = "vr1"
    INTNET = "10.1.1.0/24"
    CARPE = "212.208.244.0/24"

    # Block everything by default

    block in all
    block out all

    # Local traffic

    pass in quick on lo0 all
    pass out quick on lo0 all

    # Block packets coming from reserved classes

    block in quick on $EXT from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, \
            127.0.0.1, 255.255.255.255, 0.0.0.0 } to any

    # Wanadoo reloo
    block in quick on $EXT from 217.128.174.0/24 to any

    # Pass out every legacy protocol

    pass out quick inet proto icmp all icmp-type echoreq keep state
    pass out quick proto udp all keep state
    pass out quick proto tcp all flags S/SA keep state

    # Scrub all traffic

    scrub in on { $EXT, $INT } all

    # Outgoing connections from the internal network

    pass in quick on $INT proto { icmp, udp } from $INTNET to any keep state
    pass in quick on $INT proto tcp from $INTNET to any flags S/SA modulate state

    # Public services

    pass in quick on $EXT proto tcp from any to $EXT port > 49151 flags S/SA \
    keep state

    pass in quick on $EXT proto tcp from any to $EXT port = ftp \
    flags S/SA keep state

    pass in quick on $EXT proto tcp from any to $EXT port = www \
    flags S/SA keep state

    pass in quick on $EXT proto tcp from $CARPE to $EXT port = pop3 \
    flags S/SA keep state

    pass in quick on $EXT proto tcp from any to $EXT port = ssh \
    flags S/SA keep state

    # No indent server

    block return-rst in proto tcp from any to $EXT port = auth