Re: ftp through firewall

Brian Phillips <piconote@onetel.com> wrote in
news:0YLAOsEnYJmCFwVF@clara.net:

> I am using IPCop to feed a small network.
>
> In its default state IPCop has all incoming ports closed and all
> outgoing ports open.
>
> Following the advice that I see repeatedly in this newsgroup, I close
> all outgoing ports except those required for web access, e-mail, news
> and time, using IPTables. I also isolate one computer on the network
> completely from the internet. This all works very well
>
> I now wish to use an ftp client (FileZilla), and I have opened outgoing
> port 21 for this purpose.
>
> If I use the normal or active ftp mode, then, as I understand the
> matter, the ftp client will, after the command channel from a
> high-numbered local port and port 21 on the remote ftp server has been
> established, notify the remote ftp server of the port to use for
> transferring data. The data is then transferred by the remote ftp
> server from its port 20 to the port specified by the local ftp client.
> Unfortunately, as everyone knows, this link will not function because
> since it will be initiated by the remote ftp server it will be blocked
> by the firewall.
>
> My first question is how do the professional security advisors overcome
> this problem? The only solution that I can think of is to forward
> incoming traffic from port 20 around the firewall - but this would
> presumably reduce security.
>
> The next problem arises if I try to use the passive mode of ftp. In
> this mode, as far as I understand the matter, once the command channel
> has been established as for the active mode, the local ftp client sends
> a message (PASV) to the ftp server that it wishes to use the passive
> mode. The remote ftp server then notifies the ftp client of the port on
> which it will be listening so that the ftp client may initiate data
> transfer from that port.
>
> The problem with this arrangement is that the local ftp client has to
> send a message to the port specified by the ftp server, but such a
> message will be blocked because all outgoing ports (except those for
the
> web) are closed.
>
> Again, I wonder how the professionals deal with this problem.
>
> I ought to say that I have tried the IPCop mailing list but so far no
> one has had the time to reply. Hence, if any one on this news group
> could give me any guidance I would be very grateful.
>

Well whether it be a router, FW appliance, host based FW or a PFW
solution, one has to set rules to forward the FTP port(s) traffic, open
them to public access on the FW, to the IP/machine that has the FTP
server running so that someone can make contact with the FTP site. The
one thing that IPcop (never used it) will ensure is that only FTP traffic
will come down the ports and drop any other type of traffic.

The one thing you should be concerned about is the machine secure enough
to be exposed to the public Internet. Is the O/S, file system, the FTP
server software, user accounts, O/S security patches applied, etc, etc
and the machine in general has been *harden* to attack.

That's where the problem is at and not that you have opened ports to the
public on the FW as you have to do it for a client to contact the site.

Duane :)
Received on Thu Sep 29 19:53:10 2005