Patches only one file: linux/net/ipv4/ip_fw.c
How to apply (example for kernel 2.2.12):
cd linux/net/ipv4/
zcat location-of-patchfile/ftp-data-2.2.12.gz | patch -p0
(or, if already decompressed, use 'cat' instead of 'zcat')
Dynamic FTP-data connection rules (for the PORT-command, not for PASV,
because the latter is not that critical for security).
It is now possible to block _everything_ except for connections to port
21@ftp-server, the necessary data-connections are allowed through 'on
demand', i.e. the code scans for the ftp PORT-command and creates a
dynamic rule that allows the data connection in. This rule times out like
masquerading rules.
How: create a chain 'ftp-data' with command 'ipchains -N ftp-data'. You
cannot create/delete/replace rules in this chain, but you enable the above
patch. If this chain doesn't exist - no dynamic rules. 'ipchains -F|-Z'
will work on this chain, however. That's it. Now test it: block everything
except for (remote) destination port 21. Start an ftp session and watch
'ipchains -L', how a new rule in chain ftp-data automagically appears when
you issue an ftp command that needs a data connection. The timeout values are
built-in, I choose 60 seconds for FIN seen and 180 seconds during the
connection. You can change it in the source of ip_fw.c in the two lines that
define the constants IP_FW_FTPDATA_TIMEOUT (to 3 minutes) and
IP_FW_FTPDATA_FIN_TIMEOUT (set to 1 minute).
It's the work of two days. The code is not as ugly as I feared. The patch
looks bigger than it really is because I moved a big function
(ip_fw_check) to another location inside the file.
Packets are tested against ftp-data rules before all others. Tested are
only: src/dst IP and port and protocol. Those 5 values describe exactly
one connection, always and everywhere, and we already know we want to let
it through.
The comming netfilter code will be the clean solution, I hope, but I
need it NOW, so I wrote it.
Request from a user:
> Request: can we drop the "Packets are tested against ftp-data rules
> before all others" bit so we can call the ftp-data rule from wherever we
> want to in our rule-set (OK, I'm paranoid ;-)?
Done in this version of the patch.
Now you need a firewall rule that references ftp-data, or no return packets
are allowed in. In the original version of the patch dynamic rules in
the ftp-data chain bypassed all other rules, this is no longer the case.
No complaints so far, and I still think this subject is relevant for all
of them, but you never know...
Example of my rules used for testing this time,
connections from test-host (10.10.0.5) to one test ftp server (10.0.0.1):
(output as stored by command 'ipchains-save')
:input ACCEPT
:forward ACCEPT
:output ACCEPT
:ftp-data -
-A input -s 10.0.0.1/255.255.255.255 21:21 -d 10.10.0.5/255.255.255.255 -i eth1 -p 6 -j ACCEPT ! -y
-A input -s 10.0.0.1/255.255.255.255 20:20 -d 10.10.0.5/255.255.255.255 -i eth1 -p 6 -j ftp-data
-A input -s 10.0.0.1/255.255.255.255 -d 10.10.0.5/255.255.255.255 -i eth1 -p 6 -j REJECT
-A output -s 10.10.0.5/255.255.255.255 -d 10.0.0.1/255.255.255.255 21:21 -i eth1 -p 6 -j ACCEPT
-A output -s 10.10.0.5/255.255.255.255 -d 10.0.0.1/255.255.255.255 20:20 -i eth1 -p 6 -j ftp-data
-A output -s 10.10.0.5/255.255.255.255 -d 10.0.0.1/255.255.255.255 -i eth1 -p 6 -j REJECT
Comment: "-p 6" means TCP in the two reject-rules
--
Michael Hasenstein
mha@suse.de
http://www.suse.de/~mha/
Private Pilot (ASEL) since 1998
PS:
Thanks to Wolfgang Breyha <wbreyha@netway.at> for porting the patch
to kernel 2.2.12.
Thanks to Marcos Tadeu von Lützow <marcos@microlink.com.br> for providing
a version for kernel 2.2.14.
Just heard it (2.2.14 version) works for 2.2.16 out of the box.