hole in e.g. conntrack_ftp - current status, awareness in frontends?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

 [2010] http://www.theregister.co.uk/2010/01/06/web_based_firewall_attack/
[2007] http://www.linksysinfo.org/index.php?threads/disable-ftp-nat-helper.23156/ 

The articles I read suggest that -
1. Conntrack_ftp lets local users open arbitrary ports. (To support ftp's broken "active" mode). 2. It can be triggered by data in connections which aren't really ftp (just on the same port). 
 3.  It can be triggered by visiting a website.
=> Conntrack_ftp lets user-visited websites bypass what I *thought* my firewall rules meant :(
Firefox users should be safe. By default, Firefox blocks connections to port 21, to stop a different attack which has similar consequences.[1] (And then there's the uPnP authentication argument. If you don't control your clients, they can always access your firewalled services directly, so what's the difference?). I expect most browsers do something similar.
I still worry about it. There's more than just conntrack_ftp. conntrack_irc is also known to be affected. Firefox's port banning was intended to fix a problem with text-based protocols. I don't know that conntrack helpers for binary protocols are always strict enough to prevent it (or could be). Then there's FTP urls... other protocols that could use server-controlled ports, e.g. from SRV DNS records... "Defense in depth" says I just want to disable all the conntrack helpers. 

So, that still leaves me with questions.  Maybe this list can help.

1.  Have I missed any updates or limitations that make this *less* worrying?
2.  Am I wrong to worry about it?
3. Are there any firewall configuration tools that acknowledge this, as an issue to worry about? I've checked three (see below); they seem to enable it by default. All of them let you disable it, but they don't document why you might want to do so. 

http://www.shorewall.net/FTP.html#Conntrack (what I use now).
http://wiki.openwrt.org/doc/howto/netfilter
ufw
4. Implicit in the above - if I'm right to worry, does the documentation for the above tools need improving? (so that everyone will worry about it :). 


Regards
Alan

[1] http://kb.mozillazine.org/Network.security.ports.banned.override
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux