[GLLUG] Linux and ATTBI Question

Melson, Paul PMelson@sequoianet.com
Mon, 30 Sep 2002 07:13:34 -0400 

You can use the mod_wrap module to get tcp_wrapper functionality for
ProFTPd (http://www.castaglia.org/proftpd/modules/mod_wrap.html).
However, there are a couple of reasons why using the kernel firewall
features is more efficient and secure.  (Though, it's worth mentioning
that there are some shortcomings of ipfwadm in the 1.3.x and 2.0.x
kernels that are addressed in later kernel firewall tools.)  Mainly,
you're not allowing the FTP server to fork in order to handle each
connection attempt.  It's much easier on the system if the kernel drops
those packets and the FTP server never has to process them.  A bug in
the code, or a system with limited resources could lead to a
denial-of-service condition against the FTP server, even if unauthorized
clients were never 'allowed' to connect.

PaulM


-----Original Message-----
From: Brad Fears [mailto:brad@mtsdev.com]
Sent: Saturday, September 28, 2002 10:00 PM
To: David Lee Lambert
Cc: 'GLLUG Post'
Subject: RE: [GLLUG] Linux and ATTBI Question


If I'm understanding correctly, it sounds like you just need a
sophisticated FTP package that can do its own filtering by host/ip.

Check out PureFTPd.  http://www.pureftpd.org/

ProFTPd might do it too.  http://www.proftpd.org/

--Brad Fears

On Sat, 2002-09-28 at 09:39, David Lee Lambert wrote:
> On 27 Sep 2002, Brad Fears wrote:
> 
> > On Fri, 2002-09-27 at 21:00, David Lee Lambert wrote:
> > <snip>
> > > This leads to a question.  I'd like to allow FTP from the local
network.
> > > I don't want to allow FTP from systems not on the local network;
first,
> > > it's insecure;  second, it's a real pain to configure;  third,
it's not
> > > clear that it even works through the firewall.  I can make any
files I
> > > want to available by HTTP,  and people with accounts can use SCP
to copy
> > > files on and off the system.
> 
> > Doesn't your router have a built-in firewall?  If so, just block off
> > access to ftp from the outside->in.  If not, get a better router.  A
> > linux machine works nicely. :)
> 
> Well,  I know I can do this,  but I want something a little more
involved.
> I'd like for someone who tries to connect to get this message:
> 
> 220 ramoth FTP server ready
> 220-FTP from remote hosts is deprecated.  See our wesite for details.
> 
> and then be able to log in as 'anonymous' and download the 'wget'
source
> code and a couple of SSH tools.  I'm running SAMBA,  but I actually
have
> an XT that can only do telnet and FTP,  nothing else.
> 
> It seems like I might be able to do something with ipfwadm (I'm
running a
> 2.0 kernel)... should it be possible to run an FTP server that acts
> differently on a diferent port?
> 
> -- 
> DLL
> http://www.cse.msu.edu/~lamber45/
> 


_______________________________________________
linux-user mailing list
linux-user@egr.msu.edu
http://www.egr.msu.edu/mailman/listinfo/linux-user