Re: redir y firewall

To: wsuetholz@centonline.com
Cc: Iñaki Martínez <imd@euskal-linux.org>, debian-isp@lists.debian.org
Subject: Re: redir y firewall
From: Charlie Hedlin <charlie@hedlin.com>
Date: Fri, 3 Dec 1999 17:02:08 -0600 (CST)
Message-id: <[🔎] Pine.LNX.3.96.991203165334.2131A-100000@rodent.hedlin.com>
In-reply-to: <[🔎] XFMail.991203093629.wsuetholz@centonline.com>

I don't have the origional post, but if I remember correctly the router
you are using is doing NAT, then you have the linux firewall, and you are
redirecting the port in both places.

The problem is going arise with the ftp-data port.  If you use passive FTP
your existing setup should work.  The ftp-data connection opens in
reverse, so from the NT server it would origionate on port23, but go to
some random port.  The packets should be forwarded by your existing MASQ
and NAT setup, but the source port # will be changed, and this will
confuse the ftp client, and it will not work.  

I do not see a way around this.  You are going to have to force the ftp
clients to use passive FTP.  I have some ideas on how you could get around
it, but I don't think the kernel currently would implement them.  You want
to forward packets from the internal network origionating on port 23
unmasqeraded, but with the source address rewriten to the external router
address.  Then you could setup a forward for the ftp-data port just as you
have done already.  

So your options are:
use ssh and scp to copy files, and allow people to do ftp over ssh (using
the ssh tunneling stuff, I however haven't used it much)

and/or

use passive FTP.

On Fri, 3 Dec 1999 wsuetholz@centonline.com wrote:

> 
> On 03-Dec-99 Iñaki Martínez wrote:
> > Kaixo wsuetholz@centonline.com!!!
> > 
> >>   FTP opens a data port from your NT back out to the outside machine.  Is
> >>   that
> >> direction going to be masked properly for you?
> > 
> >  How can i know that???? which tool can i use????
> > 
> >  Or how can i masqued properly????
> >  
> See my earlier post....
> 
> >>   BTW: Did you know that this can be snooped?  Might be better to set up
> >>   SSH.
> >>        NT has many security holes, who knows maybe somebody with ftp access
> >>        can
> >>        get in and do horrible things..
> > 
> >  OK.... first i need to work the ftp, then ssh.....
> 
> The SSH setup would be instead of FTP I think.  I still have this on my
> todo list.  
> 
> I am not a ssh expert, but the way I understand it, that you will
> be connecting only over the SSH port, and everything you send will be
> encrypted to reduce the possibility of snooping.  FTP and Telnet, et all
> send logins and passwords in the clear usually, not a good thing for security
> concerns.  Given the possibilities for security holes in your destination
> machine, you should try to do as much as you can on your Firewall/Router setup.
> 
> Bill Suetholz
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
>

Reply to:

References:
- Re: redir y firewall
  - From: wsuetholz@centonline.com

Prev by Date: Re: IMAP Experiences.
Next by Date: Network setup...... NAT, MASQ, portfw, Transparent Proxy
Previous by thread: Re: redir y firewall
Next by thread: Re: redir y firewall
Index(es):
- Date
- Thread