I am using a remote backup software that requires passive mode. I have shorewall configured to allow port 21 and ports 50000-52048 from anywhere. My backup software is also configured for the same ports and everything works just fine, I just don''t like having all those ports open. My thought is to somehow configure shorewall to dynamically open the required data ports based on the servers "port p" command back to the client and then close it when the client is done transferring files. Would something like this be possible? Respectfully, Bryan Staggs This transmission (including any attachments) may contain confidential information, privileged material, or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Remco Barendse Sent: Wednesday, August 24, 2005 2:20 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Custom rule to secure SSH possible with Shorewall? Thanks all! I had no idea it was called port knocking but I''m a bit embarrassed I didn''t find it on the website. I know it''s not really secure but at least it will keep most of the ssh script kiddies out Thanks! :) On Tue, 23 Aug 2005, Lucas Velasco wrote:> Please have a look at http://www.shorewall.net/PortKnocking.html > > HTH > > On 8/23/05, Remco Barendse <shorewall@barendse.to> wrote: >> Hi list! >> >> On another list I read a suggestion to secure ssh a tiny bit butusing a>> special firewall rule. This is a snippet from the post: >> >> ---quote--- >> I have the following in my firewall: >> >> -A INPUT -p tcp --dport 12345 -m recent --set >> -A INPUT -p tcp --dport ssh -m state --state NEW \ >> -m recent --update --seconds 43200 -j ACCEPT >> >> This will only allow SSH from a computer which has telneted to port12345>> (obviously I use something else) in the past 12 >> hours (even the simple windows telnet will work, it''s just importantto try to>> connect). Obviously the above could be made >> more complicated with more than 1 port having to be ''telneted'' but Idoubt it''s>> worth the trouble. >> ---unquote--- >> >> >> Would anything such be possible with shorewall? >> >> Thanks!! >> Remco >> >> >> ------------------------------------------------------- >> SF.Net email is Sponsored by the Better Software Conference & EXPO >> September 19-22, 2005 * San Francisco, CA * Development LifecyclePractices>> Agile & Plan-Driven Development * Managing Projects & Teams * Testing& QA>> Security * Process Improvement & Measurement *http://www.sqe.com/bsce5sf>> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> > > >------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Bryan K. Staggs wrote:> I am using a remote backup software that requires passive mode. I have > shorewall configured to allow port 21 and ports 50000-52048 from > anywhere. My backup software is also configured for the same ports and > everything works just fine, I just don''t like having all those ports > open. > > My thought is to somehow configure shorewall to dynamically open the > required data ports based on the servers "port p" command back to the > client and then close it when the client is done transferring files. > > Would something like this be possible?Sir, your netiquette needs improvement. It is very annoying when people such as yourself hijack someone else''s thread (you hijacked "Custom rule to secure SSH possible with Shorewall?") -- in your case, you didn''t even bother to delete the text from the thread you hijacked!!! So thanks to you, ~900 people got another copy of a post that they had already read. Plus you top-posted! As to your problem, is your backup software FTP-based (it sounds like it is)? If so, see http://www.shorewall.net/FTP.html. If not, then please identify the software -- there is Netfilter support for some of the popular network backup packages such as Amanda. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Let me first apologize to the list and I will ensure it does not happen again. Tom, thanks for the reply. Yes, the software is ftp based and it is call RBS www.remote-backup.com. I will look into the link you provided and see if it will work for me. Thanks again Bryan Staggs This transmission (including any attachments) may contain confidential information, privileged material, or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Wednesday, August 24, 2005 8:40 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Dynamic rules? Bryan K. Staggs wrote:> I am using a remote backup software that requires passive mode. I have > shorewall configured to allow port 21 and ports 50000-52048 from > anywhere. My backup software is also configured for the same ports and > everything works just fine, I just don''t like having all those ports > open. > > My thought is to somehow configure shorewall to dynamically open the > required data ports based on the servers "port p" command back to the > client and then close it when the client is done transferring files. > > Would something like this be possible?Sir, your netiquette needs improvement. It is very annoying when people such as yourself hijack someone else''s thread (you hijacked "Custom rule to secure SSH possible with Shorewall?") -- in your case, you didn''t even bother to delete the text from the thread you hijacked!!! So thanks to you, ~900 people got another copy of a post that they had already read. Plus you top-posted! As to your problem, is your backup software FTP-based (it sounds like it is)? If so, see http://www.shorewall.net/FTP.html. If not, then please identify the software -- there is Netfilter support for some of the popular network backup packages such as Amanda. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Bryan K. Staggs wrote:> Tom, thanks for the reply. Yes, the software is ftp based and it is call > RBS www.remote-backup.com. I will look into the link you provided and > see if it will work for me.Ok -- If you just allow the FTP nat/conntrack helpers to do their job, there will be no need to pre-configure a dedicated set of passive ports in FTP server(s). The helpers create the "dynamic rules" for you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key