FTP egress rules?
Results 1 to 9 of 9

Thread: FTP egress rules?

  1. #1
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551

    FTP egress rules?

    As I get older, I seem to be getting more paranoid, so I've recently begun egress filtering on my Linux firewall box. I REJECT all outbound packets from the internal net except on those few destination ports I choose to permit (e.g., 21, 25, 80, 110, 6667, etc).

    Unfortunately, FTP seems to have been a casualty of the new filtering since it wants to open a random unprivileged port after the initial connection on port 21. All of the egress rules I've seen for FTP say to open all unprivileged ports to outbound traffic (1024-65535), which obviously I'm not going to do because it defeats the whole purpose of egress blocking.

    How do people normally handle FTP on a network with egress blocking, and does anybody have a rule that works without digging me a new a55 on my firewall?
    Do what you want with the girl, but leave me alone!

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    I think that this would be because of the difference in Passive and Active FTP. If you would like an explaination of the difference, here is a link:

    http://slacksite.com/other/ftp.html

    The majority of enterprise firewalls are smart enough to recognise and handle ftp traffic, whether it be passive or active. But I think that you might encounter difficulties if you are using a packet filtering firewall.
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  3. #3
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551
    That was one of my early thoughts as well, and slacksite was one of the sites that turned up on my Google search. Unfortunately, both active and passive FTP use random unprivileged ports so they will both have the same problem. The only difference is whether the connection on that port is initiated by the server or the client. I also found some information on ways to limit the range of unprivileged ports that FTP will operate on, but they're all from the server side, not the client side.
    Do what you want with the girl, but leave me alone!

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    With Passive FTP you could do the following:

    Allow all outbound FTP traffic (port 21).
    Allow all outbound traffic for ports 1024-65535.

    You wouldnt need to allow any incoming traffic, assuming that your Firewall will allow replies back traffic for established sessions.

    For Active FTP:

    Allow all outbound FTP traffic (port 21).
    Place a rule allowing incoming traffic from a source port of 20 to a destination port range of 1024-65535.

    IMHO with reference to your instance, I think that Passive FTP is more secure option, as you are not allowing any incoming connections to your machine. But if the hosts ftp server is behind a firewall, then it is a less secure option for them cause they have to allow incoming traffic 1024-65535.

    Basically from a pure security perspective:

    Passive FTP - good for clients, bad for hosts
    Active FTP - bad for clients, good for hosts

    Hope this helps a little...
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  5. #5
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551
    Allow all outbound traffic for ports 1024-65535.
    Like I said, that's what I want to avoid because it would pretty well obliterate my egress filtering.

    Place a rule allowing incoming traffic from a source port of 20 to a destination port range of 1024-65535.
    There you go.... that's more along the lines of what I want. I'm almost ashamed I didn't think of using the source port. Thanks.

    Now I've got to figure out how to forward that connection no my internal machine since I have no idea what port it will be on.
    Do what you want with the girl, but leave me alone!

  6. #6
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Yep, FTP is the bastard child of protocols when it comes to security (H323 being it's twin ), that's been known for quite a while. The unfortunate thing is that, like SoggyBottom said, there's no best solution...

    Ammo
    Credit travels up, blame travels down -- The Boss

  7. #7
    Senior Member
    Join Date
    Jul 2002
    Posts
    339

    Arrow

    Yep, FTP is the bastard child of protocols when it comes to security (H323 being it's twin ), that's been known for quite a while. The unfortunate thing is that, like SoggyBottom said, there's no best solution...
    Use scp (SSH Protocol 1), or better yet, sftp (SSH Protocol 2).

    Yeah, only a few people are really using it now... Most aren't even aware of its existence. Perhaps if M$ decided to support and include it in Window$, then people would start using it.

    Peace always,
    <jdenny>
    Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
    I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds


  8. #8
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551
    Use scp (SSH Protocol 1), or better yet, sftp (SSH Protocol 2).
    ....assuming the server you're connecting to supports those protocols. That's a big assumption. I do use sftp on my internal network, but unfortunately a lot of Internet servers I download files from still require (anonymous) FTP. It's a hard protocol to do without.
    Do what you want with the girl, but leave me alone!

  9. #9
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    That is a real toughy and this type thing is something I have had to deal with quite alot unfortunately, luckily our firewall software can usually handle it (although it does sometimes choke), but if yours can't there is one possibility that comes to mind:

    One thing you could consider doing is establishing a proxy server capable of supporting FTP. You could then either place that proxy server on your internal network, set up your filter rules to allow it out on port 21, and return traffic dst prt > 1024, src prt = 20, limiting that rule to just that IP, and limiting your proxy server to just that communication. You would then minimize your exposure, but still have ftp access...painfully.

    Best thing to do would be to find a firewall capable of handling FTP traffic. Most do it either through proxies or a psuedo-proxy (application aware filtering).

    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •