ftp through firewall
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

ftp through firewall

From: Brian Phillips <piconote@onetel.com>
Date: Sat May 28 2005 - 18:02:47 CEST



I am using IPCop to feed a small network.



In its default state IPCop has all incoming ports closed and all 


outgoing ports open.



Following the advice that I see repeatedly in this newsgroup, I close 


all outgoing ports except those required for web access, e-mail, news 


and time, using IPTables.   I also isolate one computer on the network 


completely from the internet.   This all works very well



I now wish to use an ftp client (FileZilla), and I have opened outgoing 


port 21 for this purpose.



If I use the normal or active ftp mode, then, as I understand the 


matter, the ftp client will, after the command channel from a 


high-numbered local port and port 21 on the remote ftp server has been 


established, notify the remote ftp server of the port to use for 


transferring data.   The data is then transferred by the remote ftp 


server from its port 20 to the port specified by the local ftp client. 


Unfortunately, as everyone knows, this link will not function because 


since it will be initiated by the remote ftp server it will be blocked 


by the firewall.



My first question is how do the professional security advisors overcome 


this problem?   The only solution that I can think of is to forward 


incoming traffic from port 20 around the firewall - but this would 


presumably reduce security.



The next problem arises if I try to use the passive mode of ftp.   In 


this mode, as far as I understand the matter, once the command channel 


has been established as for the active mode, the local ftp client sends 


a message (PASV) to the ftp server that it wishes to use the passive 


mode. The remote ftp server then notifies the ftp client of the port on 


which it will be listening so that the ftp client may initiate data 


transfer from that port.



The problem with this arrangement is that the local ftp client has to 


send a message to the port specified by the ftp server, but such a 


message will be blocked because all outgoing ports (except those for the 


web) are closed.



Again, I wonder how the professionals deal with this problem.



I ought to say that I have tried the IPCop mailing list but so far no 


one has had the time to reply.   Hence, if any one on this news group 


could give me any guidance I would be very grateful.



Regards



Brian


Received on Thu Sep 29 19:53:10 2005