RE: A note about firewalls and ftp servers.
From: Mark Boddington (mark.boddington@net800.co.uk)Date: 09/28/01
- Previous message: Peter H. Lemieux: "Re: A note about firewalls and ftp servers."
- In reply to: Rob 'Feztaa' Park: "A note about firewalls and ftp servers."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Mark Boddington" <mark.boddington@net800.co.uk> To: "Bugtraq - Focus Linux" <focus-linux@securityfocus.com> Subject: RE: A note about firewalls and ftp servers. Date: Fri, 28 Sep 2001 12:10:05 +0100 Message-ID: <NFBBIGCCBMKGMIBILGDGKEJLCEAA.mark.boddington@net800.co.uk>
Hi,
> Solution: Either set up iptables to accept traffic on port 20, or set up
> connection tracking and allow iptables to accept related and established
> connections.
Be careful. Port 20 could be at either end of the connection depending on
how the passive flag is set within the ftp session. The danger with setting
you firewall to allow packets in from and out to port 20 is it allows people
to portscan your hosts by using port 20 as their source port for every probe
(nmap has this ability). The only solution I would personally use is the
later one, but dont forget to insmod ipt_ftp_conntrack, the standard
connection tracking module doesn't cover ftp data.
Mark Boddington
Unix Systems Administrator
- Previous message: Peter H. Lemieux: "Re: A note about firewalls and ftp servers."
- In reply to: Rob 'Feztaa' Park: "A note about firewalls and ftp servers."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
