Re: firewall rules for FTP

Subject: Re: firewall rules for FTP
From: Jason Jeremias (jason@jeremias.net)
Date: Wed Mar 20 2002 - 15:13:57 AKST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Mike Barsalou: "MySQL client problems"
• Previous message: James Gibson: "Re: Beowolf cluster"
• In reply to: Mike Barsalou: "firewall rules for FTP"
• Next in thread: Christopher E. Brown: "Re: firewall rules for FTP"
• Reply: Jason Jeremias: "Re: firewall rules for FTP"
• Reply: Jason Jeremias: "Re: firewall rules for FTP"

Here's my 2 cents

1) Don't run your ftp server out of xinetd, if your using wu-ftpd
(typical of many distro's), switch to something else. I've found
Proftpd and Openbsd ftpd linux port to both be good. Proftpd is quite
nice if you are familiar with an Apache type config syntax. Very good
documentation as well. Also heard good things about vsftpd but haven't
tried it personally.

2) Setup your ftpd server to only allow PASV transfers if possible. Keep
in mind doing this breaks the rfc so you many not want to. However what
you can do is tell your ftp server which ports to use for PASV
transfers. In proftpd this config option is called "PassivePorts" for
example:

  # Use the IANA registered ephemeral port range
  PassivePorts 49152 65534

3) Use a stateful firewall to simplify the issue, Cisco PIX, iptables,
and many others are stateful. Stateful monitors the outgoing FTP
control so it knows to allow the data connection back in.

Or you need a packet filter which opens up (meaning needs to allow) all
incoming connections originating from port 20 and destined for ports >
1024 within the client's network big security hole. See item 2 to limit
the port range, and thus your exposure. You will need to allow
connections to be made to port 21 regardless of the firewall type.

Personally I don't see any reason to be using a packet filter firewall
with so many stateful options available.

4) Here's some links you'll find interesting.

  http://www.faqs.org/rfcs/rfc959.html FILE TRANSFER PROTOCOL (FTP)
  http://www.faqs.org/rfcs/rfc1579.html Firewall-Friendly FTP
  http://www.faqs.org/rfcs/rfc2577.html FTP Security Considerations

Hope that's of some use to you. Just give me a yell if you need some
example configs implementing the above.

-Jason

On Wed, 2002-03-20 at 12:33, Mike Barsalou wrote:
>
> Generally speaking, what are people using for firewall rules for an FTP
> server.
>
> When using xinetd...the port ranges seem to be from 1025 to 65535.
>
> Any suggestions?
>
> Mike
>
>
>
>

• Next message: Mike Barsalou: "MySQL client problems"
• Previous message: James Gibson: "Re: Beowolf cluster"
• In reply to: Mike Barsalou: "firewall rules for FTP"
• Next in thread: Christopher E. Brown: "Re: firewall rules for FTP"
• Reply: Jason Jeremias: "Re: firewall rules for FTP"
• Reply: Jason Jeremias: "Re: firewall rules for FTP"

This archive was generated by hypermail 2a23 : Wed Mar 20 2002 - 16:30:46 AKST