Re: ip_masq_ftp

To: Bernd Eckenfels <lists@lina.inka.de>
Cc: Iain <iain@minihub.org>, <debian-firewall@lists.debian.org>
Subject: Re: ip_masq_ftp
From: Tzafrir Cohen <tzafrir@technion.ac.il>
Date: Sat, 24 Nov 2001 14:05:31 +0200 (IST)
Message-id: <[🔎] Pine.GSO.4.33_heb2.09.0111241352440.10801-100000@techunix.technion.ac.il>
In-reply-to: <[🔎] 20011124072634.A5015@lina.inka.de>

On Sat, 24 Nov 2001, Bernd Eckenfels wrote:

> On Sat, Nov 24, 2001 at 04:34:49PM +1100, Iain wrote:
> > How do you specify a port range for it?
>
> I just checked it again. In 2.2 it is using the Masquerading Port Range. The
> Masquerading Port Range is shared by all Masquerading stuff (even outgoing)
> and can be configured hardcoded with 2.2.x:
>
> linux/include/net/ip_masq.h:#define PORT_MASQ_BEGIN	61000
> linux/include/net/ip_masq.h:#define PORT_MASQ_END	(PORT_MASQ_BEGIN+4096)
>
> > > Anyway, I do not recommend to allow active FTP inside anyway.
> > whynot?
>
> Because this attack is not realy fixed: (and fixing it and some other
> culnerabilities require a detailed parsing of the FTP protocol, which can
> only be done in an ALG):
>
>  * Protection against the "extended FTP ALG vulnerability".
>  *    This vulnerability was reported in:
>  *
>  * http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-08&msg=38C8C8EE.544524B1@enternet.se
>  *
>  *    The protection here is very simplistic, but it at least denies access
>  *    to all ports under 1024, and allows the user to specify an additional
>  *    list of high ports on the insmod command line, like this:
>  *            noport=x1,x2,x3, ...
>  *    Up to MAX_MASQ_APP_PORTS (normally 12) ports may be specified, the
>  *    default blocks access to the X server (port 6000) only.

The problem is that passive-mode FTP is just as big a hole to the server
(it has to allow connections to any high port), and therefore some
servers won't allow it. If you need to connect to such a server, then you
have to use active-mode ftp.

Those servers are relatively rare, because web browsers tend to use only
passive-mode ftp (right?)

>
> Using an Proxy allows you

[ at the expense of a more complicated system and extra CPU and disk space ]

>                            to do content filtering,

[ read: big brother ]

>                                                    audit trails,

Fully agree. again, keep in mind the aspect of privecy with respect to the
generated logs.

>                                                                  better
> protocol filtering (against above attack). And for FTP Servers it could also
> protect against bugs in serves (actually you need a good FTP Proy for that,
> I am still searching for that one :)
>

Squid and similar http proxies can be a sort-of a ftp-proxy. They can
fetch files and directory listings through ftp, but they don't keep
sessions open. And when you try to connect to a busy site, opening a new
control connection for each directory listing or file fetching will cause
many more retries. Those programs are not *real* ftp proxies. (I believe
that you can find that clearly stated in squid's FAQ).

-- 
Tzafrir Cohen
mailto:tzafrir@technion.ac.il
http://www.technion.ac.il/~tzafrir

Reply to:

Follow-Ups:
- Re: ip_masq_ftp
  - From: Bernd Eckenfels <lists@lina.inka.de>

References:
- Re: ip_masq_ftp
  - From: Bernd Eckenfels <lists@lina.inka.de>

Prev by Date: Re: ip_masq_ftp
Next by Date: Re: ip_masq_ftp
Previous by thread: Re: ip_masq_ftp
Next by thread: Re: ip_masq_ftp
Index(es):
- Date
- Thread