[isp-security] Re: Port Filtering for FTP Server

Mon, 14 Oct 2002 12:46:28 -0700 

What I don't see in this is how to allow passive mode ftp.  The policy set 
listed below will allow active mode transfers.  Am I just missing it?

--Blaine


At 12:26 PM 10/14/2002, you wrote:
>----- Original Message -----
>From: "Blaine Fleming" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Monday, October 14, 2002 11:32 AM
>Subject: [isp-security] Re: Port Filtering for FTP Server
>
>
> >    The short answer is, you can't.  If you want to get deeply involved you
> > could modify your ftp server or sniff the traffic and create a dynamic
> > allow rule.  Do you run a FTP server that allows you to specify the port
> > range for passive FTP?  If so you could apply rules to that range.  You
> > would be limited with the number of passive connections, but it would work.
> >
> >    The IP security policy implementation that ships with windows really
> > isn't made to allow/deny access to a system.  It is designed to encrypt the
> > tunnel between those two systems for specified ports and protocols.
> >
> >    If I am wrong about doing this, please let me know how to implement it.
> >
> > --Blaine
>
>
>Here's an article on Microsoft's site about how to do this.
>
>http://www.microsoft.com/serviceproviders/columns/using_ipsec.asp
>
>There are similar articles elsewhere if you do a Google search.  To make this
>usable, you really need to download the command-line configuration tool
>ipsecpol.exe (it's also in the Win2k Resource Kit).  Certainly not on par with
>something like IPFilter, but not too bad right out of the box.
>
>This is an example batch file, similar to the one we use to do port 
>filtering on
>our Win2K email/dns/webmail server:
>
>
>@echo off
>::
>:: Configure packet filtering using IPSEC policy
>::
>
>::
>:: Delete previous policy
>::
>ipsecpol -w REG -p pf -o
>
>::
>:: By default, deny all
>::
>ipsecpol -w REG -p pf -r Default_Deny -n BLOCK-f *+0
>
>::
>:: Allow all ICMP
>::
>ipsecpol -w REG -p pf -r ICMP         -n PASS-f *+0::ICMP
>
>::
>:: Web, ftp, and terminal servers on 1.2.3.44
>::
>ipsecpol -w REG -p pf -r In_HTTP      -n PASS-f *+1.2.3.44:80:TCP
>ipsecpol -w REG -p pf -r In_FTP       -n PASS-f *+1.2.3.44:21:TCP
>ipsecpol -w REG -p pf -r In_FTP_Data  -n PASS-f *+1.2.3.44:20:TCP
>ipsecpol -w REG -p pf -r Term_Server  -n PASS-f *+1.2.3.44:3389:TCP
>
>::
>:: Mail server on 1.2.3.44
>::
>ipsecpol -w REG -p pf -r POP3         -n PASS-f *+1.2.3.44:110:TCP
>ipsecpol -w REG -p pf -r IMAP4        -n PASS -f *+1.2.3.44:143:TCP
>ipsecpol -w REG -p pf -r In_SMTP      -n PASS -f *+1.2.3.44:25:TCP
>ipsecpol -w REG -p pf -r Out_SMTP     -n PASS -f 1.2.3.44+*:25:TCP
>
>::
>:: DNS server on 1.2.3.45
>::
>ipsecpol -w REG -p pf -r DNS-UDP      -n PASS -f *+1.2.3.45:53:UDP
>ipsecpol -w REG -p pf -r DNS-TCP      -n PASS -f *+1.2.3.45:53:TCP
>
>::
>:: Permit outgoing web, DNS connections on 1.2.3.44
>::
>ipsecpol -w REG -p pf -r Out_HTTP     -n PASS -f 1.2.3.44+*:80:TCP
>ipsecpol -w REG -p pf -r Out_HTTPS    -n PASS -f 1.2.3.44+*:443:TCP
>ipsecpol -w REG -p pf -r Out_DNS-UDP  -n PASS -f 1.2.3.44+*:53:UDP
>ipsecpol -w REG -p pf -r Out_DNS-TCP  -n PASS -f 1.2.3.44+*:53:TCP
>
>::
>:: Activate this policy
>::
>ipsecpol -w REG -p pf -x
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> >
> >
> > At 11:18 AM 10/14/2002, you wrote:
> > >I'm implmenting port filtering on a Win2k server using built-in IPSEC
> > >policies.
> > >I'm having a bit of a time figuring out how to permit PASV FTP.  My 
> FTP rules
> > >are pretty simple (so far).  Assuming the server is at IP 123.123.1:
> > >
> > >
> > >Source (IP:Port)     Destination (IP:Port)  Action
> > >------------------   --------------------   -------------
> > >Any:Any              123.123.123.1:21       Pass
> > >123.123.123.1:21     Any:Any                Pass
> > >123.123.123.1:20     Any:Any                Pass
> > >
> > >
> > >The rules are set up with a default deny rule - anything not explicitly
>passed
> > >is blocked.  The server is not behind any other firewall or NAT'ing
> > >router, and
> > >is using a public IP address.  If I'm not mistaken, the above will permit
> > >active
> > >FTP connections to/from an FTP client (by permitting port 20 
> outbound).  The
> > >problem that I'm having, I believe, is with FTP clients that must
> > >establish PASV
> > >connections due to their own firewalling.
> > >
> > >My understanding is that with PASV FTP, the server tells the client which
>data
> > >port to establish a connection on (rather than initiating the 
> connection from
> > >port 20).  So the client then attempts an incoming connection for the data
> > >channel on this randomly chosen port.  Any clues how to deal with this?
> > >
> > >Jim
> > >
> > >
> > >____________ The ISP-SECURITY Discussion List ____________
> > >To Join: mailto:[EMAIL PROTECTED]
> > >To Remove: mailto:[EMAIL PROTECTED]
> > >Archives: http://isp-lists.isp-planet.com/isp-security/archives/
> > >To Remove: mailto:%%email.unsub%%
> >
> >
> > ____________ The ISP-SECURITY Discussion List ____________
> > To Join: mailto:[EMAIL PROTECTED]
> > To Remove: mailto:[EMAIL PROTECTED]
> > Archives: http://isp-lists.isp-planet.com/isp-security/archives/
> > To Remove: mailto:%%email.unsub%%
>
>
>____________ The ISP-SECURITY Discussion List ____________
>To Join: mailto:[EMAIL PROTECTED]
>To Remove: mailto:[EMAIL PROTECTED]
>Archives: http://isp-lists.isp-planet.com/isp-security/archives/
>To Remove: mailto:%%email.unsub%%


____________  The ISP-SECURITY Discussion List  ____________
To Join: mailto:[EMAIL PROTECTED]
To Remove: mailto:[EMAIL PROTECTED]
Archives: http://isp-lists.isp-planet.com/isp-security/archives/
To Remove: mailto:[EMAIL PROTECTED]

Reply via email to