Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]

To: Mike Mestnik <cheako911@yahoo.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
From: Daniel Pittman <daniel@rimspace.net>
Date: Thu, 16 Sep 2004 10:27:03 +1000
Message-id: <[🔎] 87vfefoy7c.fsf@enki.rimspace.net>
In-reply-to: <[🔎] 20040915212620.GC5029@resivo.mejo.net> (Jonas Meurer's message of "Wed, 15 Sep 2004 23:26:21 +0200")
References: <[🔎] 20040912173650.GE9910@resivo.mejo.net> <[🔎] 20040913190339.11062.qmail@web11908.mail.yahoo.com> <[🔎] 20040915212620.GC5029@resivo.mejo.net>

On 16 Sep 2004, Jonas Meurer wrote:
> On 13/09/2004 Mike Mestnik wrote:
>> Yes, unlike HTTP, FTP uses one connection for authentication and
>> commands(user, pass, cd, ls(dir), get, put, pasv, port, ext). The other
>> connections cary data(the directory listings and files).  Setting up these
>> ftp-data connections has been a problem for state-full FWs.
>>
>>> i use proftpd as ftp server, and i read that proftpd uses port L-1 as
>>> source port, where L is the data port of the server.
>>>
>> This is the old way of doing things, "OUTPUT -p tcp --sport <L-1> -m state
>> --state NEW" should work fine.
>
> does this show the port as open in portscans?

No, since it is an output rule.  Port scanning only concerns INPUT and
FORWARD rules, since it requires a packet coming in.

>>> this would require to open ports 209, 214, 219, 224 and 229 as well,
>>> correct? then the easiest way would be to add them to my iptables rules,
>>> am i right?
>>
>> Correct.  There is another problem now, pasv FTP.  The L-1 thing only
>> worked for active(port) FTP and MANY(all) statefull fire walls will have a
>> hard time working with these.  This is why there is code to support FTP
>> clients, since it *was* ?rare? for commercial FTP clients to use any thing
>> other then port based FTP.
>>
>> This will requier you to accept any connection to the
>> ip_local_port_range(/proc/sys/net/ipv4/ip_local_port_range 32768 to 61000)
>> with "INPUT -p tcp --dport 32768:61000 -m state --state NEW".  You can
>> write to as well as read this file, if you only wish to open lets say
>> 32768 32800.
>
> so but if firehol takes care off the default ftp port, it should
> consider this, and though already open these ports for passive ftp,
> shouldn't it? daniel, can you tell us?

Firehol does read the ip_local_port_range sysctl and use that for rules
on the INPUT/OUTPUT chains.  It allows almost anything for rules on the
FORWARD chain since it cannot assume anything about the machines it is
acting as an IP forwarder for.

>>> what i'm wondering about: does firehol do this for port 20 with it's
>>> complex ftp service?
>
> daniel?

You can see what it sets up in the file /etc/firehol/firehol, line 878.

A quick check says that it does take into account both active and
passive FTP, and does use the default local port range.

        Daniel
-- 
There are no poisonous substances, only incorrect doses.
        -- Paracelsus

Reply to:

Follow-Ups:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Jonas Meurer <jonas@freesources.org>

References:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Jonas Meurer <jonas@freesources.org>
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Mike Mestnik <cheako911@yahoo.com>
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Jonas Meurer <jonas@freesources.org>

Prev by Date: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Next by Date: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Previous by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Next by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Index(es):
- Date
- Thread