[isp-security] Re: Port Filtering for FTP Server

Mon, 14 Oct 2002 11:29:56 -0700 

----- Original Message -----
From: "Blaine Fleming" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, October 14, 2002 11:32 AM
Subject: [isp-security] Re: Port Filtering for FTP Server


>    The short answer is, you can't.  If you want to get deeply involved you
> could modify your ftp server or sniff the traffic and create a dynamic
> allow rule.  Do you run a FTP server that allows you to specify the port
> range for passive FTP?  If so you could apply rules to that range.  You
> would be limited with the number of passive connections, but it would work.
>
>    The IP security policy implementation that ships with windows really
> isn't made to allow/deny access to a system.  It is designed to encrypt the
> tunnel between those two systems for specified ports and protocols.
>
>    If I am wrong about doing this, please let me know how to implement it.
>
> --Blaine


Here's an article on Microsoft's site about how to do this.

http://www.microsoft.com/serviceproviders/columns/using_ipsec.asp

There are similar articles elsewhere if you do a Google search.  To make this
usable, you really need to download the command-line configuration tool
ipsecpol.exe (it's also in the Win2k Resource Kit).  Certainly not on par with
something like IPFilter, but not too bad right out of the box.

This is an example batch file, similar to the one we use to do port filtering on
our Win2K email/dns/webmail server:


@echo off
::
:: Configure packet filtering using IPSEC policy
::

::
:: Delete previous policy
::
ipsecpol -w REG -p pf -o

::
:: By default, deny all
::
ipsecpol -w REG -p pf -r Default_Deny -n BLOCK-f *+0

::
:: Allow all ICMP
::
ipsecpol -w REG -p pf -r ICMP         -n PASS-f *+0::ICMP

::
:: Web, ftp, and terminal servers on 1.2.3.44
::
ipsecpol -w REG -p pf -r In_HTTP      -n PASS-f *+1.2.3.44:80:TCP
ipsecpol -w REG -p pf -r In_FTP       -n PASS-f *+1.2.3.44:21:TCP
ipsecpol -w REG -p pf -r In_FTP_Data  -n PASS-f *+1.2.3.44:20:TCP
ipsecpol -w REG -p pf -r Term_Server  -n PASS-f *+1.2.3.44:3389:TCP

::
:: Mail server on 1.2.3.44
::
ipsecpol -w REG -p pf -r POP3         -n PASS-f *+1.2.3.44:110:TCP
ipsecpol -w REG -p pf -r IMAP4        -n PASS -f *+1.2.3.44:143:TCP
ipsecpol -w REG -p pf -r In_SMTP      -n PASS -f *+1.2.3.44:25:TCP
ipsecpol -w REG -p pf -r Out_SMTP     -n PASS -f 1.2.3.44+*:25:TCP

::
:: DNS server on 1.2.3.45
::
ipsecpol -w REG -p pf -r DNS-UDP      -n PASS -f *+1.2.3.45:53:UDP
ipsecpol -w REG -p pf -r DNS-TCP      -n PASS -f *+1.2.3.45:53:TCP

::
:: Permit outgoing web, DNS connections on 1.2.3.44
::
ipsecpol -w REG -p pf -r Out_HTTP     -n PASS -f 1.2.3.44+*:80:TCP
ipsecpol -w REG -p pf -r Out_HTTPS    -n PASS -f 1.2.3.44+*:443:TCP
ipsecpol -w REG -p pf -r Out_DNS-UDP  -n PASS -f 1.2.3.44+*:53:UDP
ipsecpol -w REG -p pf -r Out_DNS-TCP  -n PASS -f 1.2.3.44+*:53:TCP

::
:: Activate this policy
::
ipsecpol -w REG -p pf -x




























>
>
> At 11:18 AM 10/14/2002, you wrote:
> >I'm implmenting port filtering on a Win2k server using built-in IPSEC
> >policies.
> >I'm having a bit of a time figuring out how to permit PASV FTP.  My FTP rules
> >are pretty simple (so far).  Assuming the server is at IP 123.123.1:
> >
> >
> >Source (IP:Port)     Destination (IP:Port)  Action
> >------------------   --------------------   -------------
> >Any:Any              123.123.123.1:21       Pass
> >123.123.123.1:21     Any:Any                Pass
> >123.123.123.1:20     Any:Any                Pass
> >
> >
> >The rules are set up with a default deny rule - anything not explicitly
passed
> >is blocked.  The server is not behind any other firewall or NAT'ing
> >router, and
> >is using a public IP address.  If I'm not mistaken, the above will permit
> >active
> >FTP connections to/from an FTP client (by permitting port 20 outbound).  The
> >problem that I'm having, I believe, is with FTP clients that must
> >establish PASV
> >connections due to their own firewalling.
> >
> >My understanding is that with PASV FTP, the server tells the client which
data
> >port to establish a connection on (rather than initiating the connection from
> >port 20).  So the client then attempts an incoming connection for the data
> >channel on this randomly chosen port.  Any clues how to deal with this?
> >
> >Jim
> >
> >
> >____________ The ISP-SECURITY Discussion List ____________
> >To Join: mailto:[EMAIL PROTECTED]
> >To Remove: mailto:[EMAIL PROTECTED]
> >Archives: http://isp-lists.isp-planet.com/isp-security/archives/
> >To Remove: mailto:%%email.unsub%%
>
>
> ____________  The ISP-SECURITY Discussion List  ____________
> To Join: mailto:[EMAIL PROTECTED]
> To Remove: mailto:[EMAIL PROTECTED]
> Archives: http://isp-lists.isp-planet.com/isp-security/archives/
> To Remove: mailto:%%email.unsub%%


____________  The ISP-SECURITY Discussion List  ____________
To Join: mailto:[EMAIL PROTECTED]
To Remove: mailto:[EMAIL PROTECTED]
Archives: http://isp-lists.isp-planet.com/isp-security/archives/
To Remove: mailto:[EMAIL PROTECTED]

Reply via email to