Re: ftp

To: debian-firewall@lists.debian.org
Subject: Re: ftp
From: Giacomo Mulas <gmulas@ca.astro.it>
Date: Thu, 1 Mar 2001 11:35:21 +0100 (CET)
Message-id: <Pine.LNX.4.21.0103011120080.5931-100000@capitanata.ca.astro.it>
In-reply-to: <01C0A240.EFA2BB80@jsbach.mader>

On Thu, 1 Mar 2001, Konrad Mader wrote:

> what is to do to enable ftp through the Firewall (debian2.2,
> Kernel2.2). www and Mail works fine so I think

There are two separate problems:

1) allowing ftp from the oustide world to some host in your protected LAN
2) allowing ftp from your protected LAN to the outside world

which one do you want? They are different and somewhat tricky problems,
due to the way in which ftp works by default ("active" ftp). This kind of
problems is (very!) much simpler with the stateful and "intelligent"
firewalling capabilities of the new stable Linux kernel branch (2.4.x)
than with (stateless) firewalling of the 2.2.x kernels (unless you run an
user space stateful firewall utility such as spf, packaged for Debian
unstable but easily compilable from sources on potato).

I would not recommend allowing the outside world authorized ftp to a host
in your protected LAN: username and passwords are sent unencrypted, and a
sniffing "bad guy" could easily steal access to an (unprivileged) user
account to your ftp server. The bad guy avoids doing anything suspicious,
and patiently waits. Then, as soon as a local exploit is found to which
that computer is vulnerable, the bad guy becomes root...

Allowing only anonymous access is somewhat less risky (but still risky),
since you do not need to set up a full shell account for it and the only
way for an intruder to break in through it is through a security flaw in
the ftp daemon itself.

Bye
Giacomo

_________________________________________________________________

Giacomo Mulas <gmulas@ca.astro.it, giacomo.mulas@tin.it>
_________________________________________________________________

OSSERVATORIO  ASTRONOMICO
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 216     Fax : +39 070 71180 222
_________________________________________________________________

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)
_________________________________________________________________

Reply to:

Follow-Ups:
- Re: ftp
  - From: Michael Wood <wood@kingsley.co.za>

References:
- ftp
  - From: Konrad Mader <konrad.mader@gmx.de>

Prev by Date: Re: ftp
Next by Date: Re: ftp
Previous by thread: Re: ftp
Next by thread: Re: ftp
Index(es):
- Date
- Thread