From: MargoAndTodd <margoandtodd@gmail.com>
To: netfilter@vger.kernel.org
Subject: Re: passive mode ftp high ports driving me nuts
Date: Sat, 09 Jan 2010 08:33:09 -0800 [thread overview]
Message-ID: <4B48AFC5.7020003@gmail.com> (raw)
In-Reply-To: <4B488CF4.40506@chello.at>
On 01/09/2010 06:04 AM, Mart Frauenlob wrote:
> On 09.01.2010 14:55, Mart Frauenlob wrote:
>> On 09.01.2010 03:59, MargoAndTodd wrote:
>>> On 01/08/2010 02:24 AM, Mart Frauenlob wrote:
>>>
>>>>> It is the "--sport $unassgn --dport $unassgn" that is killing me.
>>>>> How do I restrict the last three to just passive mode ftp?
>>>>>
>>>>
>>>> use the 'helper' match extension. i.e: -m helper --helper ftp.
>>>> if you need to distinguish between active and passive, you still can use
>>>> the port and state matches for that.
>>>
>>> Hi Mart,
>>>
>>> Works perfectly. Thank you!
>>>
>>> -T
>>>
>>> p.s. my new rules:
>>>
>
> [...]
>
>>
>> if you use user-defined chains (which is good), take full advantage of
>> it, by not repeating so many values in your ruleset. i.e. dsl-in will
>> always have -i eth1 and -d $eth1_addr.
>> you don't need -d $ANY_IP, just leave it out, gives the same result.
>> you don't need --syn, if you rely on conntrack helper match.
>>
>> let me suggest a more structured approach:
>>
>
> [...]
>
>>
>> as an untested example with some additional design considerations for
>> invalid packets and related icmp.
>>
>
> sorry had the naming for dsl-for and dsl-fwd mixed up, again corrected:
>
> # assuming DROP policy for INPUT,OUTPUT,FORWARD...
>
>
> for x in dsl-in dsl-out dsl-for invalid; do
> $ipt -N $x
> done
>
> # sort out the illegal packets - could add more eventually...
> $ipt -A invalid -p tcp ! --syn -m state --state NEW -j DROP
> $ipt -A invalid -m state --state INVALID -j DROP
>
> # global rules:
> # allow established - speed up processing by placing rule on top
> # then sort out bad ones
> # allow related icmp
> for x in INPUT OUTPUT FORWARD; do
> $ipt -A $x -m state ESTABLISHED -j ACCEPT
> $ipt -A $x -j invalid
> $ipt -A $x -p icmp -m state --state RELATED -j ACCEPT
> done
>
> # allow the related ftp packets
> for x in dsl-in dsl-out dsl-for; do
> $ipt -A $x -m helper --helper ftp -j ACCEPT
> done
>
> # allow new outgoing ftp connections
> $ipt -A dsl-out -p tcp --dport 21 -m state --state NEW -j ACCEPT
> $ipt -A dsl-for -s $internal_net -p tcp --dport 21 -m state --state NEW
> -j ACCEPT
>
> # jump tree
> $ipt -A INPUT -i eth1 -d $eth1_addr -j dsl-in
> $ipt -A OUTPUT -o eth1 -s $eth1_addr -j dsl-out
> $ipt -A FORWARD -i eth1 -d $internal_net -j dsl-for
> $ipt -A FORWARD -o eth1 -s $internal_net -j dsl-for
>
Thank you!
prev parent reply other threads:[~2010-01-09 16:33 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-07 19:13 passive mode ftp high ports driving me nuts MargoAndTodd
2010-01-08 10:24 ` Mart Frauenlob
2010-01-08 16:09 ` MargoAndTodd
2010-01-08 16:40 ` Mart Frauenlob
2010-01-09 2:59 ` MargoAndTodd
2010-01-09 13:55 ` Mart Frauenlob
2010-01-09 14:04 ` Mart Frauenlob
2010-01-09 16:33 ` MargoAndTodd [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B48AFC5.7020003@gmail.com \
--to=margoandtodd@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox