On Tue, 12 Mar 2002 21:20:05 +0100 "Joffer" <[EMAIL PROTECTED]> wrote:
> for somehow this msg just wouldn't add '>' to the text so I'll be answering > here instead, so I won't confuse myself or you ppl. > > I considder Active FTP a security threat, since it involves opening tcp port > 20 inbound on the firewall, since the ftp-server is initiating the > connection for the ftp-data. That's OK if you have a small network ( or you have a lot of political control over a large one!) Me... I must support active ftp. That's why I moved to iptables, for RELATED. > > I recommend you read this document about Active FTP Vs Passive FTP, and use > Passive FTP. > http://www.slacksite.com/other/ftp.html > > If you trail that document opening (and closing everything else) you should > fix it just fine. > > /Christopher Thorjussen > > > ----- Original Message ----- > From: "Matt Cooling" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, March 12, 2002 5:23 PM > Subject: FTP server firewall rules > > > I'm running a webserver, which I have secured with iptables as follows: > > Chain INPUT (policy DROP) > target prot opt source destination > ACCEPT tcp -- <internal gateway> anywhere tcp dpt:ssh > ACCEPT tcp -- anywhere anywhere tcp dpt:http > ACCEPT udp -- <dns server> anywhere udp > spt:domain > > I now want to give FTP access to specific IP addresses for uploading > content. I started using the following rules: > > iptables -A INPUT -p tcp -s <ftp client> --dport ftp -j ACCEPT > iptables -A INPUT -p tcp -s <ftp client> --dport ftp-data -j ACCEPT > > which allows ACTIVE FTP to work properly. However, I also want to allow > PASSIVE FTP, which I assumed would require the following rule: > > iptables -A INPUT -p tcp -s <ftp client> -m state --state RELATED -j > ACCEPT > > Unfortunately this doesn't seem to work. I've checked that the module is > loaded: > > [root@testbox root]# cat /proc/modules > ip_conntrack_ftp 4096 0 (unused) > ipt_state 1152 1 (autoclean) > ip_conntrack 17068 2 (autoclean) [ip_conntrack_ftp > ipt_state] > ... > iptable_filter 2272 0 (autoclean) (unused) > ip_tables 11424 2 [ipt_state iptable_filter] > ... > > I've reviewed some articles on the Intenet; however, these are generally > oriented to protecting a box. Have I missed something basic, or should > this work? > > Thanks in advance, > > Matt > > > > > >
