Hello, I would like to drop all FTP traffic from Internet to one server, except from: - my fixed IP - an ISP which I will consider as "acceptable" Actually, my rules file mentions: FTP/ACCEPT net fw The ISP I want to allow has several IP ranges: 195.132.0.0-195.132.255.255 [... cut a dozen of IP ranges here ...] 89.2.0.0-89.3.255.255 (I got them from the RIPE database) I would like to know if this way to work is good: - define the zone "nc" in zones files - define IP ranges related to this zone in hosts file - use the zone in my rules file. Is it the correct way to work ? Jerome Blion. ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com
Jérôme Blion wrote:> Hello, > > I would like to drop all FTP traffic from Internet to one server, except > from: > - my fixed IP > - an ISP which I will consider as "acceptable" > > Actually, my rules file mentions: > FTP/ACCEPT net fw > > The ISP I want to allow has several IP ranges: > > 195.132.0.0-195.132.255.255 > [... cut a dozen of IP ranges here ...] > 89.2.0.0-89.3.255.255 > > (I got them from the RIPE database) > > I would like to know if this way to work is good: > - define the zone "nc" in zones files > - define IP ranges related to this zone in hosts file > - use the zone in my rules file. > > Is it the correct way to work ?In my view, any scheme that uses a packet filter like Shorewall/Netfilter to filter by ISP is wrong. Run an FTP server built with tcpwrappers (or run it under inetd) and use two entries in /etc/hosts.allow (or in the inetd config) to select the allowed hosts. I''m assuming that reverse DNS lookup can also be used to identify this ISP, right? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com
Tom Eastep a écrit :> Jérôme Blion wrote: > >> Hello, >> >> I would like to drop all FTP traffic from Internet to one server, except >> from: >> - my fixed IP >> - an ISP which I will consider as "acceptable" >> >> Actually, my rules file mentions: >> FTP/ACCEPT net fw >> >> The ISP I want to allow has several IP ranges: >> >> 195.132.0.0-195.132.255.255 >> [... cut a dozen of IP ranges here ...] >> 89.2.0.0-89.3.255.255 >> >> (I got them from the RIPE database) >> >> I would like to know if this way to work is good: >> - define the zone "nc" in zones files >> - define IP ranges related to this zone in hosts file >> - use the zone in my rules file. >> >> Is it the correct way to work ? >> > > In my view, any scheme that uses a packet filter like > Shorewall/Netfilter to filter by ISP is wrong. Run an FTP server built > with tcpwrappers (or run it under inetd) and use two entries in > /etc/hosts.allow (or in the inetd config) to select the allowed hosts. > I''m assuming that reverse DNS lookup can also be used to identify this > ISP, right? > > -Tom >Hello, AFAIK, I think that "*.rev.numericable.fr" should match them. I ran a test... With /etc/hosts.deny : ALL: ALL and an empty /etc/hosts.allow, I''ve got: serveur:~# nmap <thehostname> -P0 -p21 Starting Nmap 4.76 ( http://nmap.org ) at 2009-05-23 11:41 CEST Interesting ports on <thehostname> (<theIPaddress>): PORT STATE SERVICE 21/tcp open ftp Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds serveur:~# ftp <thehostname> Connected to <thehostname>. 421 Service not available, remote server has closed connection I will look at the inetd documentation to have something that fits my needs. Thanks for your answer :-) Jerome Blion. ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com
On Fri, 2009-05-22 at 17:36 -0700, Tom Eastep wrote:> I''m assuming that reverse DNS lookup can also be used to identify this > ISP, right?And could also allow anyone else to spoof themselves as being from said ISP. Personally, I would not trust an in-addr.arpa result in any way other than informative. b. ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com
Brian J. Murrell wrote:> On Fri, 2009-05-22 at 17:36 -0700, Tom Eastep wrote: >> I''m assuming that reverse DNS lookup can also be used to identify this >> ISP, right? > > And could also allow anyone else to spoof themselves as being from said > ISP. Personally, I would not trust an in-addr.arpa result in any way > other than informative.It''s hard to know which will be the most inaccurate; in-addr.arpa or a large manually-maintained list of networks. As Brian points out, the former is likely to be over-inclusive where the latter is almost guaranteed to be under-inclusive most of the time. Probably the best way to represent the list of networks is to use a ''nethash'' ipset. Load the ipset (call it trusted) with the network addresses, then change the rule to: FTP/ACCEPT net:+trusted,<the one trusted address> fw The ipset needs to be loaded at boot time -- you can use /etc/shorewall/init to do that if you are careful to only create/load it when it doesn''t already exist. Of course the whole notion that users at a particular ISP are to be trusted and the rest of the world is not to be trusted is extremely questionable at the outset. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com
Tom Eastep a écrit :> Brian J. Murrell wrote: > >> On Fri, 2009-05-22 at 17:36 -0700, Tom Eastep wrote: >> >>> I''m assuming that reverse DNS lookup can also be used to identify this >>> ISP, right? >>> >> And could also allow anyone else to spoof themselves as being from said >> ISP. Personally, I would not trust an in-addr.arpa result in any way >> other than informative. >> > > It''s hard to know which will be the most inaccurate; in-addr.arpa or a > large manually-maintained list of networks. As Brian points out, the > former is likely to be over-inclusive where the latter is almost > guaranteed to be under-inclusive most of the time. > > Probably the best way to represent the list of networks is to use a > ''nethash'' ipset. Load the ipset (call it trusted) with the network > addresses, then change the rule to: > > FTP/ACCEPT net:+trusted,<the one trusted address> fw > > The ipset needs to be loaded at boot time -- you can use > /etc/shorewall/init to do that if you are careful to only create/load it > when it doesn''t already exist. > > Of course the whole notion that users at a particular ISP are to be > trusted and the rest of the world is not to be trusted is extremely > questionable at the outset. > > -Tom >Hi I''m trying to fight against credit card frauders. I discovered they use password sniffers to gain access to web servers to infect .html, .js, .php files. The server on which I want to do that has been compromised by these frauders. They downloaded all files in the FTP jail, modified them (by a script) and uploaded modified files to the FTP. Modified files try to redirect users on malicious webpages. So, my goal is to restrict the FTP access from my computer and from the server''s owner... I have a static IP. The other has not. So I need to find a way to allow FTP for her. It was previously opened to anyone. So blocking most of people is less worst than before. (I know, FTP is unsecure, it''s off topic) I think a firewall can provide me an easy way to reach a working start point. HTH. Jerome Blion ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com
Jérôme Blion wrote:> ... > So, my goal is to restrict the FTP access from my computer and from the > server''s owner... I have a static IP. The other has not. So I need to > find a way to allow FTP for her. It was previously opened to anyone. So > blocking most of people is less worst than before. (I know, FTP is > unsecure, it''s off topic) > > I think a firewall can provide me an easy way to reach a working start > point.A much better way would be to use SFTP with a public key for login and turn off passwords. Paul ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com