[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FW: NAT




Hello Everyone,

Couple of days ago I had posted rules that allowed active ftp to
work via ipfilter.  Matthew Patton, has pointed out that the
rules that I posted are not secure.  So please read the
explanation from Matthew and make your own decision on if you can
live with the risk.

Thanks Matthew.

- Deepak

=============================================
First Message
=============================================
-----Original Message-----
From: Matthew Patton [mailto:matthew.patton@netsec.net]
Sent: Wednesday, September 22, 1999 10:27 AM
To: Deepak Vaidya
Subject: Re: NAT



actually the rules are insecure. you're basically allowing any
person
with a program to access your box as long as the connection
originates
on port 20. that being said it's the best way to go about it as
of this
time. What we really need is for ipfilter to add/delete ipf &
ipnat
rules for each data connection.

Deepak Vaidya wrote:
> Use the rules at your own risk.  I am not sure if what I am
doing
> is secure, I think it is secure, but not 100% sure.  If folks
on
> the list think that the rules are insecure please let me know
and
> why you think the rules are insecure.  I am still learning how
to
> use ipfilter properly.


====================================
Second Message
====================================

-----Original Message-----
From: Matthew Patton [mailto:matthew.patton@netsec.net]
Sent: Wednesday, September 22, 1999 10:47 AM
To: Deepak Vaidya
Subject: Re: NAT


with 'rdr' rules. as to active ftp, it's the only way to do it at
this
time. It's not a colossal mess, just a note of caution, that's
all. The
issue is really a matter of granularity. The returning connection
won't
get very far without the 'rdr' being put in place by the proxy
module.
So no, it's not possible to simply scan your box from port 20,
there has
to be an active mode FTP currently in use. The likelihood of
attacking
the box at the precise time a xfer is happening is not very big.

Deepak Vaidya wrote:
>
> Thanks Matthew.  I will go ahead and remove the rule.  One
> question how can one connect to the private network over the
> Internet?
>
> Thanks
> - Deepak