[luau] Iptables firewall question

Vince Hoang luau at ml.altern8.net
Fri Jan 10 19:16:01 PST 2003


On Fri, Jan 10, 2003 at 07:14:18PM -0500, MonMotha wrote:
> This is a stateful firewall. It's meant to work this way. If
> you want to do it by simply allowing ports, you might as well
> be using ipchains.

Agreed. Using connection tracking for ftp does offer more
protection than a stateless ipchains configuration.
I did not mean to confuse the issue. 

> Certainly no worse than a blanket allow on high ports (which
> many people end up doing). Also, putting a few qualifiers on
> the RELATED rule can help prevent this. My script restricts
> RELATED connections (which is what these are) to high ports
> (above 1024) only. This prevents a crafty server from tricking
> the conntracker into letting it connect to a system service
> (since most of them live on low ports) by responding creatively
> to a PASV command.

My memory must be failing. Looking back at my homebrew iptables
script, it _does_ use ip_conntrack_ftp and RELATED flags for ftp.
(I also allow use ip_local_port_range to reduce the ephemeral port
range and accept ftp only from a small range of addresses.)

I do feel more comfortable about a firewall if it did not have to
protect an ftp server. A less schizophrenic protocol such as http
requires a single pair of src/dst ip/port. I can trust the state
established by that protocol more than that of ftp by several
orders of magnitude.

-Vince



More information about the LUAU mailing list