[luau] Iptables firewall question

[MonMotha]

Vince Hoang wrote:
...
> Hmm. I will have to look into that more. I was always skeptical
> of ftp shims to simplify firewall configurations. It does seem to
> raise the bar when used on the server side of the ftp connection.

This is a stateful firewall.  It's meant to work this way.  If you want to do it 
by simply allowing ports, you might as well be using ipchains.

> 
> FWIW, The latest phrack (Linenoise / Java Tears down the
> Firewall) mentions how conntrack when used on the client side can
> be used to circumvent the firewall.

Certainly no worse than a blanket allow on high ports (which many people end up 
doing).  Also, putting a few qualifiers on the RELATED rule can help prevent 
this.  My script restricts RELATED connections (which is what these are) to high 
ports (above 1024) only.  This prevents a crafty server from tricking the 
conntracker into letting it connect to a system service (since most of them live 
on low ports) by responding creatively to a PASV command.

You can also do things with source port 20, but not all servers use 20 as the 
source port for FTP data connections, and you'd want to be able to match the 
helper anyway (to know the ftp helper allowed it, otherwise blanket deny it as 
it might be a bounce scan).  This can be done (helper match), but it's a kernel 
patch.

> 
> -Vince

--MonMotha

-- 
Optimist: The glass is half full.                      | PGP Key: 0x1B0390E0
Pessimist: The glass is half empty.                    | Outgoing mail signed
Engineer: The glass is twice as big as it needs to be. | monmotha at indy.rr.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 252 bytes
Desc: not available
URL: <http://lists.freesoftwarehawaii.org/pipermail/luau-freesoftwarehawaii.org/attachments/20030110/e41633b6/attachment-0001.pgp>