Prev: Deja Vu: Swap Ctrl/Caps Lock, only this time Knoppix 6.2
Next: Most stable and tested distribution?
From: D. Stussy on 4 Jan 2010 22:11
"Todd" <todd(a)invalid.com> wrote in message
news:hhu8va$io9$1(a)speranza.aioe.org...
> /etc/sysconfig/iptables-config:
> IPTABLES_MODULES="ip_conntrack_netbios_ns ip_nat_ftp ip_conntrack_ftp
> ip_conntrack_tftp"
>
>
> My iptables firewall passive mode section for
> passive mode ftp is driving me nuts!
>
> My firewall is very strict. Only allowed traffic
> is suppose to get out. But my table for those stinking
> high port passive ftp outgoing SYN packets forces me
> to open the moon from them.
>
> If I don't use this rule:
>
> unassgn=1024:65535
> $tbls -A dsl-out -o eth1 -p tcp -s $eth1_addr --sport $unassgn -d
> $ANY_IP --dport $unassgn -m state --state NEW,ESTABLISHED
>
> I get: ...
>
> Does "Unassigned Ports" now have a better starting number?

I don't know about port ranges, but I think you're opening yourself up to
too much.

Try: --state ESTABLISHED,RELATED.

I think you really want "related" instead of "new." Related allows new
sessions only if they're tied to an existing session via the special
conntrack helper for the primary session. FTP and IRC have these special
helpers.


From: Todd on 5 Jan 2010 11:24
On 01/04/2010 07:11 PM, D. Stussy wrote:
> "Todd"<todd(a)invalid.com> wrote in message
> news:hhu8va$io9$1(a)speranza.aioe.org...
>> /etc/sysconfig/iptables-config:
>> IPTABLES_MODULES="ip_conntrack_netbios_ns ip_nat_ftp ip_conntrack_ftp
>> ip_conntrack_tftp"
>>
>>
>> My iptables firewall passive mode section for
>> passive mode ftp is driving me nuts!
>>
>> My firewall is very strict. Only allowed traffic
>> is suppose to get out. But my table for those stinking
>> high port passive ftp outgoing SYN packets forces me
>> to open the moon from them.
>>
>> If I don't use this rule:
>>
>> unassgn=1024:65535
>> $tbls -A dsl-out -o eth1 -p tcp -s $eth1_addr --sport $unassgn -d
>> $ANY_IP --dport $unassgn -m state --state NEW,ESTABLISHED
>>
>> I get: ...
>>
>> Does "Unassigned Ports" now have a better starting number?
>
> I don't know about port ranges, but I think you're opening yourself up to
> too much.
>
> Try: --state ESTABLISHED,RELATED.
>
> I think you really want "related" instead of "new." Related allows new
> sessions only if they're tied to an existing session via the special
> conntrack helper for the primary session. FTP and IRC have these special
> helpers.
>
>


Thank you! Thank plugged it the hole.

Many thanks,
-T

Some day, I will figure out how one sends a "SYN" packet
on a "--state ESTABLISHED,RELATED" packet. I thought "SYN"
packets where always "--state NEW". But, ...
From: Todd on 5 Jan 2010 11:25
On 01/05/2010 08:24 AM, Todd wrote:

> Thank you! Thank plugged it the hole.
Darned Typos.

Thank you! That plugged the hole
From: D. Stussy on 5 Jan 2010 16:59
"Todd" <todd(a)invalid.com> wrote in message
news:hhvp39$jag$1(a)speranza.aioe.org...
> On 01/04/2010 07:11 PM, D. Stussy wrote:
> > "Todd"<todd(a)invalid.com> wrote in message
> > news:hhu8va$io9$1(a)speranza.aioe.org...
> >> /etc/sysconfig/iptables-config:
> >> IPTABLES_MODULES="ip_conntrack_netbios_ns ip_nat_ftp ip_conntrack_ftp
> >> ip_conntrack_tftp"
> >>
> >> My iptables firewall passive mode section for
> >> passive mode ftp is driving me nuts!
> >>
> >> My firewall is very strict. Only allowed traffic
> >> is suppose to get out. But my table for those stinking
> >> high port passive ftp outgoing SYN packets forces me
> >> to open the moon from them.
> >>
> >> If I don't use this rule:
> >>
> >> unassgn=1024:65535
> >> $tbls -A dsl-out -o eth1 -p tcp -s $eth1_addr --sport $unassgn -d
> >> $ANY_IP --dport $unassgn -m state --state NEW,ESTABLISHED
> >>
> >> I get: ...
> >>
> >> Does "Unassigned Ports" now have a better starting number?
> >
> > I don't know about port ranges, but I think you're opening yourself up
to
> > too much.
> >
> > Try: --state ESTABLISHED,RELATED.
> >
> > I think you really want "related" instead of "new." Related allows new
> > sessions only if they're tied to an existing session via the special
> > conntrack helper for the primary session. FTP and IRC have these
special
> > helpers.
>
> Thank you! That[corrected] plugged it the hole.
>
> Some day, I will figure out how one sends a "SYN" packet
> on a "--state ESTABLISHED,RELATED" packet. I thought "SYN"
> packets where always "--state NEW". But, ...

Yes, the "ftpdata" session is a "new" one when it sends the SYN. However,
the ftp_conntrack module marks it as related to its controlling ftp
session, so that state=related matches. This should deny any "ftpdata"
session that doesn't have a controlling ftp session. Test it by telnetting
to the ftpdata port and see if that gets rejected.


From: Todd on 6 Jan 2010 11:06
On 01/05/2010 01:59 PM, D. Stussy wrote:
> "Todd"<todd(a)invalid.com> wrote in message
> news:hhvp39$jag$1(a)speranza.aioe.org...
>> On 01/04/2010 07:11 PM, D. Stussy wrote:
>>> "Todd"<todd(a)invalid.com> wrote in message
>>> news:hhu8va$io9$1(a)speranza.aioe.org...
>>>> /etc/sysconfig/iptables-config:
>>>> IPTABLES_MODULES="ip_conntrack_netbios_ns ip_nat_ftp ip_conntrack_ftp
>>>> ip_conntrack_tftp"
>>>>
>>>> My iptables firewall passive mode section for
>>>> passive mode ftp is driving me nuts!
>>>>
>>>> My firewall is very strict. Only allowed traffic
>>>> is suppose to get out. But my table for those stinking
>>>> high port passive ftp outgoing SYN packets forces me
>>>> to open the moon from them.
>>>>
>>>> If I don't use this rule:
>>>>
>>>> unassgn=1024:65535
>>>> $tbls -A dsl-out -o eth1 -p tcp -s $eth1_addr --sport $unassgn -d
>>>> $ANY_IP --dport $unassgn -m state --state NEW,ESTABLISHED
>>>>
>>>> I get: ...
>>>>
>>>> Does "Unassigned Ports" now have a better starting number?
>>>
>>> I don't know about port ranges, but I think you're opening yourself up
> to
>>> too much.
>>>
>>> Try: --state ESTABLISHED,RELATED.
>>>
>>> I think you really want "related" instead of "new." Related allows new
>>> sessions only if they're tied to an existing session via the special
>>> conntrack helper for the primary session. FTP and IRC have these
> special
>>> helpers.
>>
>> Thank you! That[corrected] plugged it the hole.
>>
>> Some day, I will figure out how one sends a "SYN" packet
>> on a "--state ESTABLISHED,RELATED" packet. I thought "SYN"
>> packets where always "--state NEW". But, ...
>
> Yes, the "ftpdata" session is a "new" one when it sends the SYN. However,
> the ftp_conntrack module marks it as related to its controlling ftp
> session, so that state=related matches. This should deny any "ftpdata"
> session that doesn't have a controlling ftp session. Test it by telnetting
> to the ftpdata port and see if that gets rejected.
>
>
Thank you. Thank explains it.

I am not sure how to to the telnet test, as the ports seem to be
random on both SRC and DST.

-T
 | 
Pages: 1
Prev: Deja Vu: Swap Ctrl/Caps Lock, only this time Knoppix 6.2
Next: Most stable and tested distribution?