RE: PASV rules opening up my high-ports - Whoops - sent the first one in HTML

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> -----Original Message-----
> From: netfilter-admin@xxxxxxxxxxxxxxxxxxx 
> [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of jherschel
> Sent: Monday, May 26, 2003 10:01 PM
> To: netfilter@xxxxxxxxxxxxxxxxxxx
> Subject: PASV rules opening up my high-ports - Whoops - sent 
> the first one in HTML
> 
> 
> Howdy,
> 
> Thanks in advance for reading this, if this is a common 
> issue, I apologize - but could you point me to a searchable 
> archive so I don't bug this list with previously asked questions?
> 
> Anyways - here goes .
> 
> I've got rules for FTP inbound/outbound for both PORT and 
> PASV connections. I'm also running MySQL, which defaults to port 3306.
> 
> If FTP PASV rules are enabled, either as a server or client, 
> it seems all my high ports are open to be connected to.  I've 
> tried enforcing state, but I end up either breaking the rule 
> so that FTP doesn't work, or I end up opening the high-ports again.
> 
> Is there a way to fix this by developing a better rule? Or 
> should I limit my PASV ports to a range that does not overlap 
> with other services?
> 

Something like this

iptables -A INPUT -m state --state ESTABISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABISHED,RELATED -j ACCEPT
#Passive and active ftp
modprobe ip_conntrack_ftp
#FW to FTP servers
iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
#FTP Clients to FW
#iptables -A INPUT -p tcp --dport 21 -j ACCEPT

/Klintan




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux