FTP server firewall rules
Tue, 12 Mar 2002 16:00:49 -0500
On Tue, 12 Mar 2002 21:20:05 +0100
"Joffer" <firstname.lastname@example.org> wrote:
> for somehow this msg just wouldn't add '>' to the text so I'll be answering
> here instead, so I won't confuse myself or you ppl.
> I considder Active FTP a security threat, since it involves opening tcp port
> 20 inbound on the firewall, since the ftp-server is initiating the
> connection for the ftp-data.
That's OK if you have a small network ( or you have a lot of political
control over a large one!) Me... I must support active ftp.
That's why I moved to iptables, for RELATED.
> I recommend you read this document about Active FTP Vs Passive FTP, and use
> Passive FTP.
> If you trail that document opening (and closing everything else) you should
> fix it just fine.
> /Christopher Thorjussen
> ----- Original Message -----
> From: "Matt Cooling" <Matt.Cooling@boxingorange.com>
> To: <email@example.com>
> Sent: Tuesday, March 12, 2002 5:23 PM
> Subject: FTP server firewall rules
> I'm running a webserver, which I have secured with iptables as follows:
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT tcp -- <internal gateway> anywhere tcp dpt:ssh
> ACCEPT tcp -- anywhere anywhere tcp dpt:http
> ACCEPT udp -- <dns server> anywhere udp
> I now want to give FTP access to specific IP addresses for uploading
> content. I started using the following rules:
> iptables -A INPUT -p tcp -s <ftp client> --dport ftp -j ACCEPT
> iptables -A INPUT -p tcp -s <ftp client> --dport ftp-data -j ACCEPT
> which allows ACTIVE FTP to work properly. However, I also want to allow
> PASSIVE FTP, which I assumed would require the following rule:
> iptables -A INPUT -p tcp -s <ftp client> -m state --state RELATED -j
> Unfortunately this doesn't seem to work. I've checked that the module is
> [root@testbox root]# cat /proc/modules
> ip_conntrack_ftp 4096 0 (unused)
> ipt_state 1152 1 (autoclean)
> ip_conntrack 17068 2 (autoclean) [ip_conntrack_ftp
> iptable_filter 2272 0 (autoclean) (unused)
> ip_tables 11424 2 [ipt_state iptable_filter]
> I've reviewed some articles on the Intenet; however, these are generally
> oriented to protecting a box. Have I missed something basic, or should
> this work?
> Thanks in advance,