[wellylug] ICQ & FTP firewall scripts
Richard Hector
rhector at actrix.gen.nz
Fri Mar 2 13:52:41 NZDT 2001
Volker Kuhlmann wrote:
>
> > How about if I specified the IP addresses of the servers which require
> > an active connection?
>
> Not a security measure. Source IPs can be forged and your block is
> ineffective (as it has holes for servers X, Y and Z).
>
> > I guess here I can set up a passive connection for any ftp connection
> > and then open up an active connection where required?
>
> Doesn't work like that. There is a control connection on port 21, and then
> either an active or a passive connection (the difference being in which
> direction it is opened). You can't firewall this by ports alone. You need
> to have state-based rules. Well ideally. So, either do it quick and dirty
> (not secure but better than nothing) or do it properly (difficult).
>
> To do it properly you need firewall software which deals
> specifically with the protocol. ipchains is not sufficient
> (as it's not state-based). Something like the firewall toolkit
> http://www.tis.com/research/software/fwtk_readme.html for eaxmple.
> I don't know of a good and easy solution.
Isn't that what the ftp kernel module (ip_masq_ftp.o) is for?
Richard
More information about the wellylug
mailing list