Request for help: Debian firewall, and maybe some kernel upgradetips

[Jack]

--- Gerald Combs wrote:
> Justin Dugger wrote:
> >  Actually, you probably need a ftp tracking module
> installed into the
> >  kernel; ftp has two ports, the command and data
> port. The command port
> >  is 21, which does things like initiate transfers
> ...
> 
> FTP uses port 21 for commands, such as LIST, PWD,
> DIR, CD, etc. as you
> stated above.  It uses a separate socket and
> separate ports for data
> transfers (such as directory listings and files). 
> Data transfers are
> either "active" or "passive."  For active
> connections, the server
> initiates a connection _from_ port 20 to a randomly
> selected port on the
> client.  For passive connections, the client
> initiates a connection to a
> randomly selected port on the server.  You shouldn't
> have to unblock
> port 20 no matter what, since there isn't going to
> be traffic coming
> into that port in either case.
> 
> Firewalls can trip up two things:
> 
> - They can block active data connections to clients
> (which is why most
>   FTP client software uses passive connections
> nowadays).
> 
> - If a data connection takes a long time, they can
> time out the
>   associated command connection (which sits idle).
> 
> To get around these issues firewalls typically use
> stateful inspection
> or proxying.
Correct me if I'm wrong, but the simple firewall rules
posted earlier would effectively break ftp. Wouldn't
the  unpriviledged ports also be blocked? Wouldn't you
need to specifically allow the unpriviledged ports for
either active or passive ftp? Wouldn't you need to
allow outbound ports also? I don't remember all the
rules posted, but I would think that the default rule
would be to drop inbound and outbound unused ports. 

Brian D.


		
__________________________________ 
Do you Yahoo!? 
Make Yahoo! your home page 
http://www.yahoo.com/r/hs