[ale] FTP/firewall issue

Joseph A. Knapka jknapka at earthlink.net
Tue Jul 3 10:34:51 EDT 2001 

Bob Kruger wrote:
> 
> tewkewl at mindspring.com wrote:
> 
> > What firewall is this?  Is this ipchains/tables or is it a 'namebrand'?
> >
> > If it is a stateful inspection type firewall, make sure stateful inspection is enabled.
> >
> > If it is not, then make sure you have port 21(tcp) open for control coming in to the server.  And port 20(udp/tcp) for data.  These are the only two ports used for active ftp.  If it is a linux/unix box, run two sessions of tcpdump on the internal/dmz nic and external nic and compare the data when a user tries to log in.
> >
> 
> Firewall is iptables.
> 
> FTP daemon is Proftpd
> 
> Ports 20 and 21 are opened up for both tcp and udp for the LAN using the following:
> 
> /usr/sbin/iptables -A INPUT -p udp -s 192.168.2.0/24 --destination-port 20 -i
> eth1 -j ALLOW
> /usr/sbin/iptables -A INPUT -p tcp -s 192.168.2.0/24 --destination-port 20 -i
> eth1 -j ALLOW
> /usr/sbin/iptables -A INPUT -p udp -s 192.168.2.0/24 --destination-port 21 -i
> eth1 -j ALLOW
> /usr/sbin/iptables -A INPUT -p tcp -s 192.168.2.0/24 --destination-port 21 -i
> eth1 -j ALLOW

You need to open connections *to* your machine at ports >1024
*from* foreign port 21. The way active FTP works is that
the client makes an outgoing connection to port 20 on the
server, sends the server a local port number for data connections,
(chosen more or less at random), and then the server initiates a
connection to the client on that port from server port 21.
(What were they thinking...)

Of course, this lets anyone who can source a connection from
port 21 (essentially, anyone with root privileges, or with
a Windows box) to connect to nonprivileged ports on your
machine, which might not be desirable.

In ipchains there was a module (ip_masq_ftp.o, I think) that
could be inserted that looked for the client's PORT command
to the server and then opened the indicated port for
incoming connections from the server machine, obviating
the need to allow random connections from port 21. Surely
there is something similar in iptables?


-- Joe Knapka
"You know how many remote castles there are along the gorges? You
 can't MOVE for remote castles!" -- Lu Tze re. Uberwald
// Linux MM Documentation in progress:
// http://home.earthlink.net/~jknapka/linux-mm/vmoutline.html
* Evolution is an "unproven theory" in the same sense that gravity is. *
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list