[Firewall] Passive FTP Help Please

Wolfgang Farquar: aka, BugEye humpydumore at yahoo.com
Mon Jul 18 11:36:41 CEST 2011


Hi Lonnie,

Looking closer at the variables I've discovered my Westell 6100 has more going on than I suspected. It has low, medium and high security levels as well as port forwarding, DMZ host configuration, remote admin and static NAT. Low allows ftp server access with Arnos`loaded. Both medium and high, with or without that ftp rule in place, don't. These last two also don't allow access with Arnos`disabled. High goes on to say: 

"The high security setting only allows basic Internet functionality. The High security setting guarantees to only pass Mail, News, Web, FTP, and IPSEC. All other traffic is not allowed. High security restricts modification by NAT configuration options."

Medium states: "The medium security setting only allows basic Internet functionality by default, just like High level security. Medium security, however, allows customization through Port Forwarding configuration so certain traffic can pass."

Here's the medium ruleset:

==========

title       [ Security Level Medium IN rules ]

begin

RulesDropFrom192
drop from addr %LANADDR%:%LANMASK% >> done, alert 0 [WAN Traffic from LAN IP]
RulesDropTTL
drop match 3 8 { 01:FE } >> alert 4 [TTL of 0 or 1]

RulesDropAddress
drop from addr 0.0.0.0 >> done, alert 4 [ 0.0.0.0 Source IP Address]


RulesDropICMP
drop protocol icmp >> alert 4 [ICMP Message To WAN IP]

RulesPass
pass all
RulesDropWANUDP
drop protocol udp, to addr %WANADDR%:32 >> done, alert 4 [UDP WAN Traffic to WAN IP]
RulesDropWANTCP
drop protocol tcp, to addr %WANADDR%:32 >> done, alert 4 [TCP WAN Traffic to WAN IP]
RulesDropICMP
drop protocol icmp, to addr %WANADDR%:32 >> done, alert 4 [ICMP Traffic to WAN IP]
end

==========

title       [ Security Level Medium OUT rules ]

begin
# Protocol Match conditions
RulesPass
pass to port 80 >> done
pass from port 80 >> done
pass protocol udp, to port 53 >> done
pass to port 20 >> done
pass from port 20 >> done
pass to port 21 >> done
pass to port 23 >> done
pass to port 110 >> done
pass to port 119 >> done
pass to port 143 >> done
pass to port 220 >> done
pass to port 25 >> done
pass to port 443 >> done
pass to port 500 >> done
pass protocol 50 >> done
pass protocol tcp, from addr %LANADDR% >> state, done

# Failed to match
RulesDropNETBIOS
drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NETBIOS Traffic]
RulesDrop
drop all >> alert 1 [ Packet to be dropped unless Service enabled ]

end

==========

I'm under the impression my setup needs port forwarding? If this is true, the where and how is what I need help with. ifconfig dumps:

inet addr:192.168.1.46  Bcast:255.255.255.255  Mask:255.255.255.0

These are the low rules for reference:

==========

title       [ Security Level Low IN rules ]

begin
RulesDropFrom192
drop from addr %LANADDR%:%LANMASK% >> done, alert 0 [WAN Traffic from LAN IP]
RulesPass
pass all

RulesDropAddress
drop from addr 0.0.0.0 >> done, alert 4 [ 0.0.0.0 Source IP Address]
RulesPassUDP
pass protocol udp, to port 53 >> done
pass protocol udp, from port 53 >> done

RulesDropICMP
drop protocol icmp >> alert 4 [ICMP Message To WAN IP]
RulesDropWANUDP
drop protocol udp, to addr %WANADDR%:32 >> done, alert 4 [UDP WAN Traffic to WAN IP]
RulesDropWANTCP
drop protocol tcp, to addr %WANADDR%:32 >> done, alert 4 [TCP WAN Traffic to WAN IP]
RulesPassGoodICMP
pass protocol icmp, to addr %WANADDR%:32 >> done, alert 0 [Responding to WAN Ping]
RulesPassGoodICMP
pass protocol icmp, to addr %LANADDR%:%LANMASK% >> done, alert 0 [Nat'ed LOCAL PING]
end

#########################

title       [ Security Level Low OUT rules ]

begin
RulesDropNETBIOS
drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NETBIOS Traffic]

RulesPass
pass all

end

==========

While in the logging section I caught two medium alerts attempting to connect to ftp.slackware.org.uk..

==========

Packet Details (slackware.org.uk)	
	
  	Source IP: 	  192.168.1.46 (westell)	 
  	Destination IP:   83.170.96.167 	 
  	Protocol: 	  TCP 	 
  	Source Port: 	  47890 	 
  	Destination Port: 33358 	 
  	TCP Flags: 	  02 ( syn )
	
Packet Details (slackware.org.uk)
	
  	Source IP:        83.170.96.167 	 
  	Destination IP:   xx.xxx.xx.194 (my current dynamic ip) 
  	Protocol: 	  TCP 	 
  	Source Port: 	  21 	 
  	Destination Port: 50144 	 
  	TCP Flags: 	  19 ( ack psh fin )

==========

I need a suggestion.. a starting point. If the fw format looks familiar, I'd like to hear your thoughts on how to address this. Thanks again..


Stephan


More information about the Firewall mailing list