[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables and ftp



On 2008-07-01 Mark Chong wrote:
> Be very skeptically of something you are unsure off, if something
> exists assume its insecure unless you know otherwise. When you say you
> want a 'secure' connection allowing only one IP to connect to you or
> for you to connect to (not sure which you want) then your connection
> is still vulnerable to ease dropping. If you want something secure
> then you need to look at other protocols such as ssh/sftp or ftp over
> ssl.

Indeed.

> Also whilst ansgars config will do what he thinks you are trying to
> achive if you were to use them verbatim your machine wouldn't even be
> able to make dns requests.

That is why I added a comment pointing out that the rules I posted are
incomplete.

> If you want to allow only outgoing ftp connections to a specific IP i 
> would suggest
> 
> iptables -A OUTPUT -p tcp --dport 21 -d ! 212.74.114.60 -j DROP

I'd strongly recommend against this, since connections to FTP servers on
non-default ports would still be possible with that rule. As well as any
other kind of connection. If the OP is serious about outbound control,
then only whitelisting will do.

Regards
Ansgar Wiechers
-- 
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html


Reply to: