[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Any danger from these ports?



On Wed, 2005-12-01 at 22:47 -0500, Charles R. Anderson wrote:
> On Thu, Jan 13, 2005 at 01:03:18AM +0100, Alexander Dalloz wrote:
> > It is much better to use ip_conntrack_ftp iptables helper module and the
> > stateful capabilities of iptables (ESTABLISHED,RELATED) rather than to
> > "blindly" open a range of high ports. Why using ipchains, which is not
> > stateful, when having iptables?
> 
> Because the box is a RHL 7.3 box and I was only familiar with ipchains
> at the time.  Because non-stateful firewalls by their very nature
> operate in a simpler manner that is less likely to break.  Because I
> know nothing besides FTP is using the passive port range I chose. 
> Note that I did qualify my statements with "If you are not using a
> stateful firewall with a FTP helper"...
> 
The kernel used in 7.3 most certainly was capable of connection 
tracking for ftp. It had been discussed many times in the mailing 
lists. If I remember correctly it was a module called nat_ftp.

Although most of the firewall I configure do not do NAT, I have 
built a dozen or so NAT firewalls,using ipchains and ipforward 
{the firewall system before ipchains IIRC} had kernel modules 
that allowed FTP connection tracking, because Mac's couldn't do 
passive ftp at the time.

> If I was going to set this up again today, I would probably use what
> you suggest.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]