[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ip_masq_ftp

On Sat, 24 Nov 2001, Bernd Eckenfels wrote:

> On Sat, Nov 24, 2001 at 04:34:49PM +1100, Iain wrote:
> > How do you specify a port range for it?
> I just checked it again. In 2.2 it is using the Masquerading Port Range. The
> Masquerading Port Range is shared by all Masquerading stuff (even outgoing)
> and can be configured hardcoded with 2.2.x:
> linux/include/net/ip_masq.h:#define PORT_MASQ_BEGIN	61000
> linux/include/net/ip_masq.h:#define PORT_MASQ_END	(PORT_MASQ_BEGIN+4096)
> > > Anyway, I do not recommend to allow active FTP inside anyway.
> > whynot?
> Because this attack is not realy fixed: (and fixing it and some other
> culnerabilities require a detailed parsing of the FTP protocol, which can
> only be done in an ALG):
>  * Protection against the "extended FTP ALG vulnerability".
>  *    This vulnerability was reported in:
>  *
>  * http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-08&msg=38C8C8EE.544524B1@enternet.se
>  *
>  *    The protection here is very simplistic, but it at least denies access
>  *    to all ports under 1024, and allows the user to specify an additional
>  *    list of high ports on the insmod command line, like this:
>  *            noport=x1,x2,x3, ...
>  *    Up to MAX_MASQ_APP_PORTS (normally 12) ports may be specified, the
>  *    default blocks access to the X server (port 6000) only.

The problem is that passive-mode FTP is just as big a hole to the server
(it has to allow connections to any high port), and therefore some
servers won't allow it. If you need to connect to such a server, then you
have to use active-mode ftp.

Those servers are relatively rare, because web browsers tend to use only
passive-mode ftp (right?)

> Using an Proxy allows you

[ at the expense of a more complicated system and extra CPU and disk space ]

>                            to do content filtering,

[ read: big brother ]

>                                                    audit trails,

Fully agree. again, keep in mind the aspect of privecy with respect to the
generated logs.

>                                                                  better
> protocol filtering (against above attack). And for FTP Servers it could also
> protect against bugs in serves (actually you need a good FTP Proy for that,
> I am still searching for that one :)

Squid and similar http proxies can be a sort-of a ftp-proxy. They can
fetch files and directory listings through ftp, but they don't keep
sessions open. And when you try to connect to a busy site, opening a new
control connection for each directory listing or file fetching will cause
many more retries. Those programs are not *real* ftp proxies. (I believe
that you can find that clearly stated in squid's FAQ).

Tzafrir Cohen

Reply to: