port filtering

port filtering

[Sadus .]

Is there a way to do port filtering as in allow only FTP protocol use
port 21 and no other protocol such as opening apache on port 21 or
openning SSH on port 443 which should ONLY be used for HTTPS?

thanks

-- 
Sadus . <sadus@swiftbin.net>
Swiftbin.net

Re: port filtering

[Eduardo Spremolla]

I suppose you have a firewall that allow outgoing traffic on port 21 ?
or is incoming?

Any way you can't tell if the traffic on port 21 if ftp , telnet or http
without looking a hi layers protos. Don't know of any support for that
in netfilter. May be you need to setup a transparent proxy.


LALO  

On Thu, 2005-06-02 at 17:40 +0300, Sadus . wrote:
> Is there a way to do port filtering as in allow only FTP protocol use
> port 21 and no other protocol such as opening apache on port 21 or
> openning SSH on port 443 which should ONLY be used for HTTPS?
> 
> thanks
> 


Este e-mail y cualquier posible archivo adjunto está dirigido únicamente al destinatario del mensaje y contiene información que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Está prohibida cualquier utilización, difusión o copia de este e-mail por cualquier persona o entidad que no sean las específicas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicación que haya sido emitida incumpliendo nuestra Política de Seguridad de la Información.
. . . . . . . . .
This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender inmediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that not is the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.

Re: port filtering

[Taylor, Grant]

Sadus . wrote:
> Is there a way to do port filtering as in allow only FTP protocol use
> port 21 and no other protocol such as opening apache on port 21 or
> openning SSH on port 443 which should ONLY be used for HTTPS?

To enforce only ftp access on port 21 you will need to run some sort of filter that will enforce only ftp commands or something else that will detect ftp commands or not.  The Layer 7 match extension will do this for you.  There are caveats to using the l7 filter as it tends to be less and less accurate the more complex the protocol is, but ftp does not fall in to this category.  L7 filter will put some additional load on your firewall / router too as it has to inspect the higher layer packet and pass it through a regular expression to match (or not) the packet, hens you don't want all your traffic to pass through a l7 filter, just the traffic that is destined to or from port 21.  I might also suggest that you conn mark the known ftp traffic so you can match against the mark on subsequent packets and not have to pass all the packet to any given connection through the l7 filter, just enou
 gh to identify the traffic.  For more information on the "Application Layer Packet Classif
ier for Linux" (Layer 7) go to http://l7-filter.sourceforge.net/ and take a look.  I have played with the l7 filter a little bit and was fairly impressed, however I do not currently have it on any of my production firewalls.  If you need / want more help with this let me know.



Grant. . . .

Re: port filtering

[Jörg Harmuth]

Hi,

Eduardo Spremolla schrieb:
> I suppose you have a firewall that allow outgoing traffic on port 21 ?
> or is incoming?
> 
> Any way you can't tell if the traffic on port 21 if ftp , telnet or http
> without looking a hi layers protos. Don't know of any support for that
> in netfilter. May be you need to setup a transparent proxy.
> 
May be this is of use:

http://l7-filter.sourceforge.net/L7-HOWTO-Netfilter

Have a nice time,

Joerg

Re: port filtering

[Sadus .]

Thanks for the info, 
Actually i was just curious if something like that existed. I came
across an article in a windows system administration website that
mentioned the feature of "Port Filtering" and i didn't know that such a
thing existed. 

On Thu, 2005-06-02 at 10:18 -0500, Taylor, Grant wrote:
> Sadus . wrote:
> > Is there a way to do port filtering as in allow only FTP protocol use
> > port 21 and no other protocol such as opening apache on port 21 or
> > openning SSH on port 443 which should ONLY be used for HTTPS?
> 
> To enforce only ftp access on port 21 you will need to run some sort of filter that will enforce only ftp commands or something else that will detect ftp commands or not.  The Layer 7 match extension will do this for you.  There are caveats to using the l7 filter as it tends to be less and less accurate the more complex the protocol is, but ftp does not fall in to this category.  L7 filter will put some additional load on your firewall / router too as it has to inspect the higher layer packet and pass it through a regular expression to match (or not) the packet, hens you don't want all your traffic to pass through a l7 filter, just the traffic that is destined to or from port 21.  I might also suggest that you conn mark the known ftp traffic so you can match against the mark on subsequent packets and not have to pass all the packet to any given connection through the l7 filter, just en
 ough to identify the traffic.  For more information on the "Application Layer Packet Classif
> ier for Linux" (Layer 7) go to http://l7-filter.sourceforge.net/ and take a look.  I have played with the l7 filter a little bit and was fairly impressed, however I do not currently have it on any of my production firewalls.  If you need / want more help with this let me know.
> 
> 
> 
> Grant. . . .
> 
-- 
Sadus . <sadus@swiftbin.net>
Swiftbin.net