passive FTP rules
Hi all
Are the following rules fine for allowing just passive FTP? Can't I
set it up any tighter than that?
I have snipped the script a little for clarity.
-- start of script --
#!/bin/sh
# Definitions
ipchains="$(which ipchains)"
[...]
# Default policies
${ipchains} -P input DENY
${ipchains} -P forward DENY
${ipchains} -P output DENY
# Flush rules
${ipchains} --flush input
${ipchains} --flush forward
${ipchains} --flush output
[...]
# Passive FTP
${ipchains} -A input -p tcp -s 0.0.0.0/0 --sport 21 -i ppp0 -j ACCEPT ! -y
${ipchains} -A input -p tcp -s 0.0.0.0/0 --sport 1024:65535 -i ppp0 \
-j ACCEPT ! -y
[...]
# Passive FTP
${ipchains} -A output -p tcp -d 0.0.0.0/0 --dport 21 -i ppp0 -j ACCEPT
${ipchains} -A output -p tcp -d 0.0.0.0/0 --dport 1024:65535 -i ppp0 -j ACCEPT
[...]
# Masquerade
${ipchains} -A forward -s 192.168.1.0/24 -j MASQ -i ppp0
# Log the rest!
${ipchains} -A input -j DENY -l
${ipchains} -A output -j DENY -l
${ipchains} -A forward -j DENY -l
-- end of script --
Thanks in advance
Sven
--
Enjoy your job, make lots of money, work within the law. Choose any two.
Reply to: