[luau] Iptables firewall question
MonMotha
monmotha at indy.rr.com
Sat Jan 11 10:33:00 PST 2003
Vince Hoang wrote:
...
>>Certainly no worse than a blanket allow on high ports (which
>>many people end up doing). Also, putting a few qualifiers on
>>the RELATED rule can help prevent this. My script restricts
>>RELATED connections (which is what these are) to high ports
>>(above 1024) only. This prevents a crafty server from tricking
>>the conntracker into letting it connect to a system service
>>(since most of them live on low ports) by responding creatively
>>to a PASV command.
>
>
> My memory must be failing. Looking back at my homebrew iptables
> script, it _does_ use ip_conntrack_ftp and RELATED flags for ftp.
> (I also allow use ip_local_port_range to reduce the ephemeral port
> range and accept ftp only from a small range of addresses.)
Never a bad idea, especially if you have the helper match available to further
restrict the actions of the helper. You can then pick your port range to make
sure no services live there.
>
> I do feel more comfortable about a firewall if it did not have to
> protect an ftp server. A less schizophrenic protocol such as http
> requires a single pair of src/dst ip/port. I can trust the state
> established by that protocol more than that of ftp by several
> orders of magnitude.
Of course. I'd be happy if everyone would just stop using FTP. It's a pain to
firewall, NAT, etc, and it has a history of security problems. Unfortunately
it's about as old as the internet itself and doesn't look to be going anywhere soon.
>
> -Vince
--MonMotha
--
Optimist: The glass is half full. | PGP Key: 0x1B0390E0
Pessimist: The glass is half empty. | Outgoing mail signed
Engineer: The glass is twice as big as it needs to be. | monmotha at indy.rr.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 252 bytes
Desc: not available
URL: <http://lists.freesoftwarehawaii.org/pipermail/luau-freesoftwarehawaii.org/attachments/20030111/91e789a0/attachment-0001.pgp>
More information about the LUAU
mailing list