Re: ip_masq_ftp
On Sat, 24 Nov 2001, Bernd Eckenfels wrote:
> On Sat, Nov 24, 2001 at 04:34:49PM +1100, Iain wrote:
> > How do you specify a port range for it?
>
> I just checked it again. In 2.2 it is using the Masquerading Port Range. The
> Masquerading Port Range is shared by all Masquerading stuff (even outgoing)
> and can be configured hardcoded with 2.2.x:
>
> linux/include/net/ip_masq.h:#define PORT_MASQ_BEGIN 61000
> linux/include/net/ip_masq.h:#define PORT_MASQ_END (PORT_MASQ_BEGIN+4096)
>
> > > Anyway, I do not recommend to allow active FTP inside anyway.
> > whynot?
>
> Because this attack is not realy fixed: (and fixing it and some other
> culnerabilities require a detailed parsing of the FTP protocol, which can
> only be done in an ALG):
>
> * Protection against the "extended FTP ALG vulnerability".
> * This vulnerability was reported in:
> *
> * http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-08&msg=38C8C8EE.544524B1@enternet.se
> *
> * The protection here is very simplistic, but it at least denies access
> * to all ports under 1024, and allows the user to specify an additional
> * list of high ports on the insmod command line, like this:
> * noport=x1,x2,x3, ...
> * Up to MAX_MASQ_APP_PORTS (normally 12) ports may be specified, the
> * default blocks access to the X server (port 6000) only.
The problem is that passive-mode FTP is just as big a hole to the server
(it has to allow connections to any high port), and therefore some
servers won't allow it. If you need to connect to such a server, then you
have to use active-mode ftp.
Those servers are relatively rare, because web browsers tend to use only
passive-mode ftp (right?)
>
> Using an Proxy allows you
[ at the expense of a more complicated system and extra CPU and disk space ]
> to do content filtering,
[ read: big brother ]
> audit trails,
Fully agree. again, keep in mind the aspect of privecy with respect to the
generated logs.
> better
> protocol filtering (against above attack). And for FTP Servers it could also
> protect against bugs in serves (actually you need a good FTP Proy for that,
> I am still searching for that one :)
>
Squid and similar http proxies can be a sort-of a ftp-proxy. They can
fetch files and directory listings through ftp, but they don't keep
sessions open. And when you try to connect to a busy site, opening a new
control connection for each directory listing or file fetching will cause
many more retries. Those programs are not *real* ftp proxies. (I believe
that you can find that clearly stated in squid's FAQ).
--
Tzafrir Cohen
mailto:tzafrir@technion.ac.il
http://www.technion.ac.il/~tzafrir
Reply to: