[wellylug] ICQ & FTP firewall scripts
Volker Kuhlmann
kuhlmav at elec.canterbury.ac.nz
Fri Mar 2 11:20:36 NZDT 2001
> How about if I specified the IP addresses of the servers which require
> an active connection?
Not a security measure. Source IPs can be forged and your block is
ineffective (as it has holes for servers X, Y and Z).
> I guess here I can set up a passive connection for any ftp connection
> and then open up an active connection where required?
Doesn't work like that. There is a control connection on port 21, and then
either an active or a passive connection (the difference being in which
direction it is opened). You can't firewall this by ports alone. You need
to have state-based rules. Well ideally. So, either do it quick and dirty
(not secure but better than nothing) or do it properly (difficult).
To do it properly you need firewall software which deals
specifically with the protocol. ipchains is not sufficient
(as it's not state-based). Something like the firewall toolkit
http://www.tis.com/research/software/fwtk_readme.html for eaxmple.
I don't know of a good and easy solution.
Volker
More information about the wellylug
mailing list