Stateful firewalls and FTP

A few common problems when setting up a stateful firewall to allow FTP traffic.

FTP needs a separate data connection for transferring files or file listings. It has two modes of operation

passive

The clients request the server to listen for a connection. The server responds with the address and port where it is listening for the data connection. The client connects.

active

The client listens on a port for the data connection. The client notifies the server about the address and port. The server connects to the client



Stateful firewalls only allow specific traffic or already established/related traffic. Since the data connection uses a separate port it cannot easily be distinguished as being related to the legitimate FTP connection. This is where the helpers come in play.

ip_conntrack_ftp is a module that monitors ftp traffic and marks a data connection as RELATED to the control connection of a FTP session. When using the module, make sure you pass the option ports=21, or it will monitor all traffic and probably be very slow. This is easily done from /etc/modules.conf.

In order to allow data connections behind a NAT, the ip_nat_ftp module can do the trick. The ip_nat_ftp module depends on the the ip_conntrack_ftp module and does not need any parameters.

If the FTP session is encrypted (TLS for example) there is no way to statefully let the data connections through. When running a FTP server behind a NAT that allows encrypted connections the only solution is to specify the ports that it will listen on for passive connections and explicitly allow those.

Comments

Post a Comment

Popular posts from this blog

FreeIPA cluster with containers

Notes on how to install a FreeIPA cluster on Ubuntu. Mostly following the instructions on https://github.com/freeipa/freeipa-container Start with what would be the primary host. If you install a third replica you would want to review the replica agreements to ensure you have a two-way replication between all pairs of nodes.
Read more

ADSL Router Model CT-5367 user and pass (VIVACOM)

Writing down the username and password for the vivacom ADSL router, in case I need it again. user: root pass: warmWLspot Useful to telnet 192.168.1.1 and then reboot . Originally found at Neo2SHYAlien blog . And here I found passwords for other models, just in case. ZTE ZXDSL 832 username: root password: GSrootaccess ZTE ZXDSL 831 username: root password: GSrootaccess ZTE username: root password: 831access Huawei SmartAX MT882 username: root password: MT882rootaccess ZTE ZXDSL-531b username: root password: rootWLaccess Pirelli – DRG – A124G username: root password: warmWLspot Comtrend CT-5367 username: root password: warmWLspot HG530 Home Gateway username: root password: warmWLspot
Read more

Installing Gentoo with full disk encryption

The purpose of this exercise - install Gentoo where all disk partitions are encrypted. Boot from a system rescue disk and partition the disk - use GPT partition table where the first partition is reserved, second is the boot, and the third one is for the rest of the data. Device Start End Sectors Size Type /dev/sda1 2048 32767 30720 15M BIOS boot /dev/sda2 32768 442367 409600 200M Linux filesystem /dev/sda3 442368 375093902 374651535 178.7G Linux filesystem Encrypt partitions number 2 and 3, and open them cryptsetup luksFormat /dev/sda2 cryptsetup luksFormat /dev/sda3 cryptsetup luksOpen /dev/sda2 crypt_boot cryptsetup luksOpen /dev/sda3 crypt_data Format the boot partition mkfs.btrfs /dev/mapper/crypt_boot Prepare LVM for the rest, and format the top level vgcreate vg0 /dev/mapper/crypt_data lvcreate -l 100%FREE -n data vg0 mkfs.btrfs /dev/vg0/data Mount and set up any subvolumes mount /dev/vg0/data /mnt/gentoo btrfs subvol create /mnt/gentoo/@ /mnt/gentoo/@home umount /mnt/gentoo Now...
Read more