|
Hi Roberto (and others who understand this matter)
thanks to your help we got yesterday my LVS-NAT secured by adding
a set of ichains firewall rules.
You were - as a security expert - unhappy about my desire to run an ftp
server on one of the realservers.
I have now tuned down the range of ports considerable, as I found
the configuration command for proftpd, which allows to define
PassivePorts.
I allow now only ports 61250:61299 as data ports in passive ftp.
I find that this set of rules works, to allow both active ftp (like
from an ncftp client) and passive ftp (like from netscape browser):
ALL=0.0.0.0/0
NPORTS=1025:65535
FTP_PORTS=61250:61299
DEP= #(director external IP address)
VIP= #(LVS IP address)
W1=10.1.1.1 #address of realserver running proftpd
IFE=eth1
input rules (policy DENY):
-A input -j ACCEPT -i ${IFE} -p tcp -s ${ALL} -d ${DEP} ${FTP_PORTS}
-A input -j ACCEPT -i ${IFE} -p tcp -s ${ALL} -d ${VIP} ${FTP_PORTS}
-A input -j ACCEPT -i ${IFE} -p tcp -s ${ALL} $NPORTS -d ${VIP} 21
-A input -j ACCEPT -i ${IFE} -p tcp -s ${ALL} $NPORTS -d ${VIP} 20
forward rules (policy DENY):
-A forward -i ${IFE} -s $W1 21 -d $ALL -p tcp -j MASQ
-A forward -i ${IFE} -s $W1 20 -d $ALL -p tcp -j MASQ
Can you have a look at this rule set?
Is the port range of 50 data ports sufficient? (we will allow only
30 ftp connections at the same time, by proftpd configuration)
When I tried using a different FTP_PORTS range, e.g. 48200:48299
I found that passive ftp does not work.
I get the impression that in the director always ports in the 61000 and
higher range get assigned (via masqerading?) even when the ftp server
issues a number 9n the 48'000s fpr the DATA port.
I do not understand this bit. Can anyone comment on that?
Alois
|
