Note: FTP is quite troublesome with the 'ipchains' tools that are used in the 2.2 series of Linux kernels. With the introduction of 'iptables' and the netfilter framework in the 2.4 kernels, the "conntrack" system can be used to easily handle normal FTP transactions, both "active" and "passive", for both FTP clients and servers. This document should help you understand the issues surrounding FTP with Linux 2.2 and 'ipchains'. -Peter Watkins 2001/04/11 README.FTP SECURITY ASPECTS & TROUBLESHOOTING FOR FTP FTP is a problematic protocol. There are two different connection types that are used in FTP. The first is the "control" connection. This connection is initiated by the FTP client software. This is a connection from client:X to server:ftp (port 21) client:X -> server:ftp where "X" is some high (>1023) port number. From a firewall standpoint, the control connection is very straightforward and easy to accommodate. The second is the "data" connection. There are two types of data connection: "active" and "passive". "active" connections are often considered the normal means of getting data from an FTP server. Here are the steps involved in active data transfer: - the FTP client binds to a high port on the client machine (call it "Y") - the FTP client tells the FTP server what port it has chosen - the FTP server initiates a connection from its ftp-data port (port 20) to the port chosen by the FTP client So the active connection looks like server:ftp-data -> client:Y "passive" connections work basically like this: - the FTP client asks the FTP server to use a passive connection for data - the FTP server binds to a high port (call it "N") - the FTP server tells the client which port it has chosen - the FTP client connects from some high port to the port chosen by the server So the passive connection looks like client:Z -> server:N There are firewall problems with both data transfer methods, at least as long as we're using more primitive tools like 'ipchains' that cannot keep track of stateful information; e.g. ipchains cannot tell if a connection from some remote machine's ftp-data port is servicing an FTP session, or simply probing high TCP ports. The problem with active FTP was just described. FTP clients can bind to virtually any high port on the client machine, and we really don't want to allow _any_ remote machine to initiate a connection to _any_ high port on this machine (which is why we have those awful TCP_BLOCKED_SERVICES settings). Briefly, "active" FTP can be a risk for the client. The problem with passive FTP is that the FTP _server_ must be prepared to accept TCP connections on various high ports. We don't want to allow _any_ remote machine to connect to high ports on the FTP server, either. Briefly, "passive" FTP requires loosening firewall restrictions on the server. CONFIGURING YOUR SERVER TO ALLOW "PASSIVE" FTP CLIENTS The recommended way to allow your FTP server to handle passive clients is to configure it to use a certain range of ports, and only loosen the firewall restrictions for those ports. By default, wu-ftpd (the server shipped with Red Hat Linux and many other Linux distributions), will randomly choose any high port on the server machine for data connections. This can be changed in the /etc/ftpaccess configuration file. I suggest picking a range of 2000 or so ports, with the lowest port at least 10000, as many Unix applications like to make use of ports < 10000. To configure wu-ftpd to use only ports 15000 - 17000 for passive FTP, you would add the following line to /etc/ftpaccess: passive ports 0.0.0.0/0 15000 17000 Once you've done that, you need to modify the ipchains firewall, in the file /etc/rc.d/init.d/bastille-firewall so that it will accept connections on those ports. The variables you will want to look at are TCP_PUBLIC_SERVICES and TCP_INTERNAL_SERVICES. For this example, you would add " 15000:17000" to the variable. For instance, if your server _only_ provided FTP service to "public" hosts, and only provided telnet and FTP service to "internal" hosts, you would use the following variable definitions: TCP_PUBLIC_SERVICES="ftp 15000:17000" TCP_INTERNAL_SERVICES"telnet ftp 15000:17000" TROUBLESHOOTING PROBLEMS WITH FTP CLIENT APPS ON BASTILLE SYSTEMS If you have FORCE_PASV_FTP set to the default, "N", your machine will accept active FTP connections on all high ports (except those explicitly blocked). So if you have trouble getting data (note that even the "dir" command has to get data, albeit simply a list of files) with FORCE_PASV_FTP at "N", then you probably have a TCP port blocked that should not be blocked. Use 'lsof -i' (as root) to get a listing of all ports that are listening for services, and see if your TCP_BLOCKED_SERVICES lists ports that are not actually listening for connections. If you have FORCE_PASV_FTP set to "Y", then you will want to make sure you're using your FTP client software in passive mode. Netscape's Web browser should not give you any problems, though with other clients you may need to specify passive mode (regular command-line FTP: issue the command "passive"; ncftp: issue the command "set passive on"; gftp: FTP -> Options -> General -> check "Passive file transfers"). Requiring passive mode for your FTP clients can be somewhat of a hassle, but will generally make your machine more secure. -Peter Watkins 2000/02/19