Re: rules for FTP access

To: debian-firewall@lists.debian.org
Subject: Re: rules for FTP access
From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>
Date: Thu, 1 Sep 2005 13:15:54 +0200
Message-id: <[🔎] 20050901131554.A7655@planetcobalt.net>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 20050901073115.GA29983@lia.ch>; from sb@lia.ch on Thu, Sep 01, 2005 at 09:31:15AM +0200
References: <4315ABA9.2000201@gmail.com> <1125520713.4575.3.camel@localhost.localdomain> <[🔎] 4316A329.9030508@gmail.com> <[🔎] 20050901073115.GA29983@lia.ch>

On 2005-09-01 Stephan Balmer wrote:
>> but, once I have loaded contrack ftp modules and I want to permit ftp
>> client connections from my private subnet, which is behind eth1, to
>> Internet through eth0, I should do:
>>
>> iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 20:21 -j ACCEPT
> 
> Yes, that should work.

No. He would need either

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 20 -j ACCEPT

or

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 1024: -j ACCEPT

The former is for active FTP, the latter for passive FTP. I *strongly*
recommend avoiding both and use connection tracking instead.

> But as others have pointed out, this is good for passive FTP-
> connections only, if your clients want to use active FTP, you need
> connection tracking (look for a kernel module ip_conntrack_ftp). 

Wrong. Port 20/tcp on the server is *only* needed for *active* FTP (and
would then have to be a --sport anyway, since the server initiates the
data connection). Passive FTP uses TCP ports above 1023 for the data
connection, which is initiated by the client. However, with connection
tracking enabled, you only need to allow 21/tcp for either active and
passive FTP, since the data connection will be RELATED to the already
ESTABLISHED control connection.

> In most cases, it's far easier and secure to configure your clients to
> use pasive mode than to fiddle with conntrack, many clients work
> passive by default.

Without connection tracking that'll work only if you allowed outbound
connections to non-privileged ports.

> Active FTP vs. Passive FTP, a Definitive Explanation:
> http://slacksite.com/other/ftp.html

May I suggest you re-read that page yourself?

Regards
Ansgar Wiechers
-- 
"Another option [for defragmentation] is to back up your important files,
erase the hard disk, then reinstall Mac OS X and your backed up files."
--http://docs.info.apple.com/article.html?artnum=25668

Reply to:

Follow-Ups:
- Re: rules for FTP access
  - From: Stephan Balmer <sb@lia.ch>
- Re: rules for FTP access
  - From: Fabrizio Sannicolo' <fabrizio.sannicolo@gmail.com>

References:
- Re: rules for FTP access
  - From: Fabrizio Sannicolo' <fabrizio.sannicolo@gmail.com>
- Re: rules for FTP access
  - From: Stephan Balmer <sb@lia.ch>

Prev by Date: Re: rules for FTP access
Next by Date: Re: rules for FTP access
Previous by thread: Re: rules for FTP access
Next by thread: Re: rules for FTP access
Index(es):
- Date
- Thread