[Firewall] Passive FTP Help Please

Lonnie Abelbeck lists at lonnie.abelbeck.com
Mon Jul 18 15:11:08 CEST 2011


Stephan,

Sorry, I don't have any experience with your Westell 6100 DSL/Router, possibly someone else here does.

Personally I run Arno's Firewall on small embedded hardware (ex. Soekris net5501 or PCEngines ALIX) using the AstLinux distribution at the edge of my network, behind my transparent cable modem.

Lonnie


On Jul 18, 2011, at 4:36 AM, Wolfgang Farquar: aka, BugEye wrote:

> Hi Lonnie,
> 
> Looking closer at the variables I've discovered my Westell 6100 has more going on than I suspected. It has low, medium and high security levels as well as port forwarding, DMZ host configuration, remote admin and static NAT. Low allows ftp server access with Arnos`loaded. Both medium and high, with or without that ftp rule in place, don't. These last two also don't allow access with Arnos`disabled. High goes on to say: 
> 
> "The high security setting only allows basic Internet functionality. The High security setting guarantees to only pass Mail, News, Web, FTP, and IPSEC. All other traffic is not allowed. High security restricts modification by NAT configuration options."
> 
> Medium states: "The medium security setting only allows basic Internet functionality by default, just like High level security. Medium security, however, allows customization through Port Forwarding configuration so certain traffic can pass."
> 
> Here's the medium ruleset:
> 
> ==========
> 
> title       [ Security Level Medium IN rules ]
> 
> begin
> 
> RulesDropFrom192
> drop from addr %LANADDR%:%LANMASK% >> done, alert 0 [WAN Traffic from LAN IP]
> RulesDropTTL
> drop match 3 8 { 01:FE } >> alert 4 [TTL of 0 or 1]
> 
> RulesDropAddress
> drop from addr 0.0.0.0 >> done, alert 4 [ 0.0.0.0 Source IP Address]
> 
> 
> RulesDropICMP
> drop protocol icmp >> alert 4 [ICMP Message To WAN IP]
> 
> RulesPass
> pass all
> RulesDropWANUDP
> drop protocol udp, to addr %WANADDR%:32 >> done, alert 4 [UDP WAN Traffic to WAN IP]
> RulesDropWANTCP
> drop protocol tcp, to addr %WANADDR%:32 >> done, alert 4 [TCP WAN Traffic to WAN IP]
> RulesDropICMP
> drop protocol icmp, to addr %WANADDR%:32 >> done, alert 4 [ICMP Traffic to WAN IP]
> end
> 
> ==========
> 
> title       [ Security Level Medium OUT rules ]
> 
> begin
> # Protocol Match conditions
> RulesPass
> pass to port 80 >> done
> pass from port 80 >> done
> pass protocol udp, to port 53 >> done
> pass to port 20 >> done
> pass from port 20 >> done
> pass to port 21 >> done
> pass to port 23 >> done
> pass to port 110 >> done
> pass to port 119 >> done
> pass to port 143 >> done
> pass to port 220 >> done
> pass to port 25 >> done
> pass to port 443 >> done
> pass to port 500 >> done
> pass protocol 50 >> done
> pass protocol tcp, from addr %LANADDR% >> state, done
> 
> # Failed to match
> RulesDropNETBIOS
> drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NETBIOS Traffic]
> RulesDrop
> drop all >> alert 1 [ Packet to be dropped unless Service enabled ]
> 
> end
> 
> ==========
> 
> I'm under the impression my setup needs port forwarding? If this is true, the where and how is what I need help with. ifconfig dumps:
> 
> inet addr:192.168.1.46  Bcast:255.255.255.255  Mask:255.255.255.0
> 
> These are the low rules for reference:
> 
> ==========
> 
> title       [ Security Level Low IN rules ]
> 
> begin
> RulesDropFrom192
> drop from addr %LANADDR%:%LANMASK% >> done, alert 0 [WAN Traffic from LAN IP]
> RulesPass
> pass all
> 
> RulesDropAddress
> drop from addr 0.0.0.0 >> done, alert 4 [ 0.0.0.0 Source IP Address]
> RulesPassUDP
> pass protocol udp, to port 53 >> done
> pass protocol udp, from port 53 >> done
> 
> RulesDropICMP
> drop protocol icmp >> alert 4 [ICMP Message To WAN IP]
> RulesDropWANUDP
> drop protocol udp, to addr %WANADDR%:32 >> done, alert 4 [UDP WAN Traffic to WAN IP]
> RulesDropWANTCP
> drop protocol tcp, to addr %WANADDR%:32 >> done, alert 4 [TCP WAN Traffic to WAN IP]
> RulesPassGoodICMP
> pass protocol icmp, to addr %WANADDR%:32 >> done, alert 0 [Responding to WAN Ping]
> RulesPassGoodICMP
> pass protocol icmp, to addr %LANADDR%:%LANMASK% >> done, alert 0 [Nat'ed LOCAL PING]
> end
> 
> #########################
> 
> title       [ Security Level Low OUT rules ]
> 
> begin
> RulesDropNETBIOS
> drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NETBIOS Traffic]
> 
> RulesPass
> pass all
> 
> end
> 
> ==========
> 
> While in the logging section I caught two medium alerts attempting to connect to ftp.slackware.org.uk..
> 
> ==========
> 
> Packet Details (slackware.org.uk)	
> 	
>  	Source IP: 	  192.168.1.46 (westell)	 
>  	Destination IP:   83.170.96.167 	 
>  	Protocol: 	  TCP 	 
>  	Source Port: 	  47890 	 
>  	Destination Port: 33358 	 
>  	TCP Flags: 	  02 ( syn )
> 	
> Packet Details (slackware.org.uk)
> 	
>  	Source IP:        83.170.96.167 	 
>  	Destination IP:   xx.xxx.xx.194 (my current dynamic ip) 
>  	Protocol: 	  TCP 	 
>  	Source Port: 	  21 	 
>  	Destination Port: 50144 	 
>  	TCP Flags: 	  19 ( ack psh fin )
> 
> ==========
> 
> I need a suggestion.. a starting point. If the fw format looks familiar, I'd like to hear your thoughts on how to address this. Thanks again..
> 
> 
> Stephan
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 
> 



More information about the Firewall mailing list