[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ip_masq_ftp

On Sat, Nov 24, 2001 at 04:34:49PM +1100, Iain wrote:
> How do you specify a port range for it?

I just checked it again. In 2.2 it is using the Masquerading Port Range. The
Masquerading Port Range is shared by all Masquerading stuff (even outgoing)
and can be configured hardcoded with 2.2.x:

linux/include/net/ip_masq.h:#define PORT_MASQ_BEGIN	61000
linux/include/net/ip_masq.h:#define PORT_MASQ_END	(PORT_MASQ_BEGIN+4096)

> > Anyway, I do not recommend to allow active FTP inside anyway.
> why not?

Because this attack is not realy fixed: (and fixing it and some other
culnerabilities require a detailed parsing of the FTP protocol, which can
only be done in an ALG):

 * Protection against the "extended FTP ALG vulnerability".
 *      This vulnerability was reported in:
 * http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-08&msg=38C8C8EE.544524B1@enternet.se
 *      The protection here is very simplistic, but it at least denies access 
 *      to all ports under 1024, and allows the user to specify an additional 
 *      list of high ports on the insmod command line, like this:
 *              noport=x1,x2,x3, ...
 *      Up to MAX_MASQ_APP_PORTS (normally 12) ports may be specified, the 
 *      default blocks access to the X server (port 6000) only.

Using an Proxy allows you to do content filtering, audit trails, better
protocol filtering (against above attack). And for FTP Servers it could also
protect against bugs in serves (actually you need a good FTP Proy for that,
I am still searching for that one :)

  (OO)      -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes@irc  +497257930613  BE5-RIPE
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!

Reply to: