hole in e.g. conntrack_ftp - current status, awareness in frontends?

All of lore.kernel.org
 help / color / mirror / Atom feed

* hole in e.g. conntrack_ftp  - current status, awareness in frontends?
@ 2012-06-23 11:07 Alan Jenkins
  0 siblings, 0 replies; only message in thread
From: Alan Jenkins @ 2012-06-23 11:07 UTC (permalink / raw)
  To: netfilter

  [2010] http://www.theregister.co.uk/2010/01/06/web_based_firewall_attack/
  [2007] 
http://www.linksysinfo.org/index.php?threads/disable-ftp-nat-helper.23156/

The articles I read suggest that -

  1.  Conntrack_ftp lets local users open arbitrary ports.  (To support 
ftp's broken "active" mode).
  2.  It can be triggered by data in connections which aren't really ftp 
(just on the same port).
  3.  It can be triggered by visiting a website.
=> Conntrack_ftp lets user-visited websites bypass what I *thought* my 
firewall rules meant :(

Firefox users should be safe.  By default, Firefox blocks connections to 
port 21, to stop a different attack which has similar consequences.[1]  
(And then there's the uPnP authentication argument.  If you don't 
control your clients, they can always access your firewalled services 
directly, so what's the difference?).  I expect most browsers do 
something similar.

I still worry about it.  There's more than just conntrack_ftp.  
conntrack_irc is also known to be affected.  Firefox's port banning was 
intended to fix a problem with text-based protocols. I don't know that 
conntrack helpers for binary protocols are always strict enough to 
prevent it (or could be).  Then there's FTP urls... other protocols that 
could use server-controlled ports, e.g. from SRV DNS records...  
"Defense in depth" says I just want to disable all the conntrack helpers.

So, that still leaves me with questions.  Maybe this list can help.

1.  Have I missed any updates or limitations that make this *less* worrying?
2.  Am I wrong to worry about it?
3.  Are there any firewall configuration tools that acknowledge this, as 
an issue to worry about?  I've checked three (see below); they seem to 
enable it by default.  All of them let you disable it, but they don't 
document why you might want to do so.

http://www.shorewall.net/FTP.html#Conntrack (what I use now).
http://wiki.openwrt.org/doc/howto/netfilter
ufw

4. Implicit in the above - if I'm right to worry, does the documentation 
for the above tools need improving? (so that everyone will worry about 
it :).

Regards
Alan

[1] http://kb.mozillazine.org/Network.security.ports.banned.override

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2012-06-23 11:07 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-06-23 11:07 hole in e.g. conntrack_ftp - current status, awareness in frontends? Alan Jenkins

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.