Re: [SLUG] Newbie Sysadmin's Journal - firewall

From: Chris Mathey (slug@mathey.org)
Date: Fri Jul 13 2007 - 08:45:53 EDT

Next message: Paul M Foster: "Re: [SLUG] Newbie Sysadmin's Journal - firewall"
Previous message: Robin \(Bartow FL\): "Re: [SLUG] Tampa OSS Event"
In reply to: Levi Bard: "Re: [SLUG] Newbie Sysadmin's Journal - firewall"
Next in thread: Paul M Foster: "Re: [SLUG] Newbie Sysadmin's Journal - firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Levi Bard wrote:
>> # Normal services
>> # FTP
>> -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
>
> You probably want to allow port 20 also for passive ftp?
That is active mode. Also the server connects to the client via port 20
for the data connection . Here is the data flow which should help with
your firewall.
http://slacksite.com/other/ftp.html
This is chock full of example scripts and FAQ's
http://www.linuxguruz.com/iptables/

In that case you should use the connection tracking module
"ip_conntrack_ftp"
Load the modules:
modprobe ip_conntrack
modprobe ip_conntrack_ftp

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 21 -m state --state NEW -j ACCEPT
#for passive mode
iptables -A INPUT -p tcp --sport 1024: --dport 49152:49162 -m state
--state ESTABLISHED -j ACCEPT

/This is quick and dirty. No guarantees here :)

>
>
>> # Unprivileged ports inserted by Virtuozzo. Why?
>> -A INPUT -p tcp -m tcp --dport 32768:65535 -j ACCEPT
>> -A INPUT -p udp -m udp --dport 32768:65535 -j ACCEPT
>
> Active ftp data channel tends to use a random high port. In any case,
> you probably don't have anything exploitable (or anything at all)
> running higher than 1024.
It is random however the port number is contained in the packet so the
client can connect to the correct port.

proftpd is one of the most popular FTP servers. Just configure the
passive mode ports in the config file
"PassivePorts 49152 49162"

Now you only have to deal with 10 ports instead of all
ephemeral ports.

>
> I see that you're filtering your output traffic as well. What's the
> reason for this, concern about someone trojaning (verbing weirds
> language) the machine?
>
I see no reason to filter outbound but that is my opinion. It's a
server, im sure his ftp\mail sever isn't opening infected email or
browsing virus infected porn sites :)
If someone roots your box a default deny on the output chain will only
get a quick chuckle from the attacker.

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.

Next message: Paul M Foster: "Re: [SLUG] Newbie Sysadmin's Journal - firewall"
Previous message: Robin \(Bartow FL\): "Re: [SLUG] Tampa OSS Event"
In reply to: Levi Bard: "Re: [SLUG] Newbie Sysadmin's Journal - firewall"
Next in thread: Paul M Foster: "Re: [SLUG] Newbie Sysadmin's Journal - firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:58:51 EDT