[Gllug] passive ftp through f/w
Russell Howe
rhowe at siksai.co.uk
Thu May 6 19:49:59 UTC 2004
Richard Jones wrote:
> All quite safe provided the firewall is correctly implemented.
That bit's the killer :)
I suspect you're referring to:
http://www.netfilter.org/security/2001-04-16-ftp.html
whereby if you could enter your own PORT command, you could basically
use it as an instruction to iptables to say "Allow connections to host
foo on port bar from the FTP server".
So, $evildoer sets up an FTP server on their computer, sits behind your
firewall and can then use an FTP client to poke holes in the firewall.
If they have control of the FTP server, then they can use those holes.
Probably wouldn't get their packets NATed though, assuming the NAT rules
were sane, so if NAT was being used for all internal hosts, they'd
just be able to connect to the firewall.
There's also been a problem with the IRC DCC connection tracking module:
http://www.netfilter.org/security/2002-02-25-irc-dcc-mask.html
Stateful firewalling is usually used to enable dynamic ruleset changes
based on data going through the firewall. Handing control of parts of
your ruleset to 3rd parties is a pretty dangerous thing to do! There's a
whole heap of things which can go wrong and I find it pretty hard to
believe there have only ever been two problems with iptables/netfilter
related to connection tracking... maybe only two which have been
discovered and publicly announced...
--
Russell Howe <rhowe at siksai.co.uk>
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list