[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wuftpd-questions
Subject:    Re: FTP behind a firewall.
From:       "Gregory A Lundberg" <lundberg () vr ! net>
Date:       2002-06-22 14:07:32
[Download RAW message or body]

>    I've got wu-2.6.1 running on a Red Hat v6.2 box behind a firewall.
> I've open ports 20 and 21 on the firewall and passed the packets using
> routing to my FTP server. However I cannot seem to get wuftpd to move
> into passive mode on a pre-determined set of ports. I'd like wuftpd to
> use only 20 and 21, then 55000 - 65535 if possible. How can I change
> this in wuftpd? Any and all assistance would be greatly appreciated.

First, let's assume a network using 10.0.0.0/8 on the LAN.  In ftpaccess,

   # Close down the world
   passive ports 0.0.0.0/0 55000 65535
   # Open the LAN back up
   passive ports 10.0.0.0/8 1024 65535

Next, let's assume we have a real IP address as the default and are 10.1.2.3
on the LAN as well.  This is usually backwards, but doing it this way avoids
needing to come up with a "real" IP address.

   # Claim our IP address to the world
   # passive address X.X.X.X 0.0.0.0/8
   # Our IP address is OK everywhere except on the LAN
   passive address 10.1.2.3 10.0.0.0/8



Now we need to firewall the beast.


Allow incoming FTP control connections:

- Allow incoming TCP connections (no TCP ACK bit required) from anywhere
ports 1024 to 65535 to the server's port 21.

- Allow outgoing connected TCP (require TCP ACK bit set) from the server's
port 21 to anywhere ports 1024 to 65535



Allow outgoing PORT data connections:

- Allow outgoing TCP connections (no TCP ACK bit required) from the server's
port 20 to anywhere ports 1024 to 65535

- Allow incoming connected TCP (require TCP ACK bit set) from anywhere ports
1024 to 65535 to the server's port 20.



Allow incoming PASV data connections from the LAN:

- Allow incoming TCP connections (no TCP ACK bit required) from LAN hosts
ports 1024 to 65535 to the server's ports 1024 to 65535

- Allow outgoing connected TCP (require TCP ACK bit set) from the server's
ports 1024 to 65535 to LAN hosts ports 1024 to 65535



Allow incoming PASV data connections from the rest of the world:

- Allow incoming TCP connections (no TCP ACK bit required) from anywhere
ports 1024 to 65535 to the server's ports 55000 to 65535

- Allow outgoing connected TCP (require TCP ACK bit set) from the server's
ports 55000 to 65535 to anywhere ports 1024 to 65535



And don't forget:

- Deny all traffic not specifically allowed above



And then there is one last step to be performed on the server:

Replace the 'ftp' command (not the daemon, the user-command) with a shell
script explaining that this is a secured FTP server and user FTP is not
possible.  Since I'm the only one allowed shell access on the FTP server, I
use the following script in place of the real /bin/ftp

#! /bin/sh
echo "Hey, dummy, wrong host.  Try button A on the console switch."

Why disable user-level FTP?  Because the firewall rules required for that,
when combined with the firewall rules required for the server, merge to
allow all traffic from everywhere.  In other words, if you fully 'close down
the firewall' for both user- and server-FTP, you effectively remove the
firewall completely.


[prev in list] [next in list] [prev in thread] [next in thread]