Kandu.dk - Cisco ASA - ikke hul igennem til server på indersiden


/ Forside / Teknologi / Netværk / TCP/IP / Nyhedsindlæg

Glemt dit kodeord?

Brugernavn*

Kodeord *

Husk mig

Brugerservice

Kom godt i gang

Bliv medlem

Seneste indlæg

Find en bruger

Stil et spørgsmål

Skriv et tip

Fortæl en ven

Pointsystemet

Kontakt Kandu.dk

Emnevisning

Kategorier

Alfabetisk

Karriere

Interesser

Teknologi

Reklame

Top 10 brugere

TCP/IP

#	Navn	Point
1	Per.Frede..	4668
2	BjarneD	4017
3	severino	2804
4	pallebhan..	1680
5	EXTERMINA..	1525
6	xou	1455
7	strarup	1430
8	Manse9933	1419
9	o.v.n.	1400
10	Fijala	1204

Cisco ASA - ikke hul igennem til server på~
Fra : Peter $8450$

Dato : 25-03-09 10:31

Hej!

Jeg har en Cisco ASA 5505 stående som router/firewall mellem min fiber-box
fra Energi Midt og min switch. Jeg har det problem, at jeg udefra ikke kan
nå min web / ftp server. Det kører på en Synology box, og på indersiden kan
jeg fint logge på serveren på dens inderside ip (192.168.42.30). De andre
access-lists og statics til 192.168.42.51 på port 42000 har heller ingen
effekt.

Udefra kan jeg bare ikke få hul igennem, selvom jeg synes jeg har lavet de
rigtige static nat-ruter og tilsvarende access-lists der tillader
traffikken.
Når jeg hopper ind på ASDM'en og laver en packet trace, fra yderside ip'en
til 192.168.42.30 på ftp porten, siger den at pakken bliver blokeret af den
indbyggede implicitte access-list som deny'er ip-trafik fra outside til
inside - jeg forstår ikke hvorfor mine access-lists får pakken igennem :-/

Konfigurationen ser sådan her ud:

ASA Version 8.0(4)
!
hostname pbp-home
enable password *********** encrypted
passwd *********** encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.42.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group EnergiMidt
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any eq ftp host
192.168.42.30 eq ftp
access-list outside_access_in extended permit tcp any eq ftp-data host
192.168.42.30 eq ftp-data
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any eq www host
192.168.42.30 eq www
access-list outside_access_in extended permit tcp any eq 42000 host
192.168.42.51 eq 42000
access-list outside_access_in extended permit udp any eq 42000 host
192.168.42.51 eq 42000
access-list PeterBP_splitTunnelAcl standard permit 192.168.42.0
255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.42.0
255.255.255.0 192.168.100.0 255.255.255.128
access-list vpn_split standard permit 192.168.42.0 255.255.255.0
access-list nat0 extended permit ip any 10.100.100.0 255.255.255.0
access-list nat0 extended permit ip any 10.100.101.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN-pool 192.168.100.0-192.168.100.100 mask 255.255.255.0
ip local pool admin_pool 10.100.100.1-10.100.100.254 mask 255.255.255.0
ip local pool split_pool 10.100.101.1-10.100.101.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 10.100.100.0 255.255.255.0
static (outside,inside) tcp 192.168.42.30 ftp xxx.yyy.www.zzz ftp netmask
255.255.255.255
static (outside,inside) tcp 192.168.42.30 ftp-data xxx.yyy.www.zzz ftp-data
netmask 255.255.255.255
static (outside,inside) tcp 192.168.42.30 www xxx.yyy.www.zzz www netmask
255.255.255.255
static (outside,inside) tcp 192.168.42.51 42000 xxx.yyy.www.zzz 42000
netmask 255.255.255.255
static (outside,inside) udp 192.168.42.51 42000 xxx.yyy.www.zzz 42000
netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.42.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime
seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime
kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.42.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn group EnergiMidt request dialout pppoe
vpdn group EnergiMidt localname 123456a
vpdn group EnergiMidt ppp authentication chap
vpdn username 123456a password *********
dhcpd auto_config outside
!
dhcpd address 192.168.42.100-192.168.42.130 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.3.0254-k9.pkg 2
svc image disk0:/anyconnect-linux-2.3.0254-k9.pkg 3
svc enable
tunnel-group-list enable
group-policy PeterBP internal
group-policy PeterBP attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value PeterBP_splitTunnelAcl
group-policy AnyConnectVpnGroup internal
group-policy AnyConnectVpnGroup attributes
dns-server value 217.198.208.66 194.239.134.83
vpn-tunnel-protocol svc
webvpn
svc dtls enable
svc ask enable default svc
group-policy AnyConnectVpnGroupSplit internal
group-policy AnyConnectVpnGroupSplit attributes
dns-server value 217.198.208.66 194.239.134.83
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_split
webvpn
svc dtls enable
svc ask enable default svc
username peterbp password ************* encrypted privilege 0
username peterbp attributes
vpn-group-policy PeterBP
tunnel-group PeterBP type remote-access
tunnel-group PeterBP general-attributes
address-pool VPN-pool
default-group-policy PeterBP
tunnel-group PeterBP ipsec-attributes
pre-shared-key *
tunnel-group AnyConnectVpnGroup type remote-access
tunnel-group AnyConnectVpnGroup general-attributes
address-pool admin_pool
default-group-policy AnyConnectVpnGroup
tunnel-group AnyConnectVpnGroup webvpn-attributes
group-alias Admin enable
tunnel-group AnyConnectVpnGroupSplit type remote-access
tunnel-group AnyConnectVpnGroupSplit general-attributes
address-pool split_pool
default-group-policy AnyConnectVpnGroupSplit
tunnel-group AnyConnectVpnGroupSplit webvpn-attributes
group-alias Split enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d260edcbe373f402a295caa14b4e3e82
: end

--
Mvh.
Peter Bak

Robert Piil (25-03-2009)

Kommentar
Fra : Robert Piil

Dato : 25-03-09 10:56

Peter (8450) skrev:
> Hej!
>
> Jeg har en Cisco ASA 5505 stående som router/firewall mellem min
> fiber-box fra Energi Midt og min switch. Jeg har det problem, at jeg
> udefra ikke kan nå min web / ftp server. Det kører på en Synology box,
> og på indersiden kan jeg fint logge på serveren på dens inderside ip
> (192.168.42.30). De andre access-lists og statics til 192.168.42.51 på
> port 42000 har heller ingen effekt.
>
> Udefra kan jeg bare ikke få hul igennem, selvom jeg synes jeg har lavet
> de rigtige static nat-ruter og tilsvarende access-lists der tillader
> traffikken.
> Når jeg hopper ind på ASDM'en og laver en packet trace, fra yderside
> ip'en til 192.168.42.30 på ftp porten, siger den at pakken bliver
> blokeret af den indbyggede implicitte access-list som deny'er ip-trafik
> fra outside til inside - jeg forstår ikke hvorfor mine access-lists får
> pakken igennem :-/

(Jeg er ikke nogen supernetværksnørd, men har rodet med nogle af de
samme problem på en PIX for nyligt, så måske kan der være et brugbart
hint eller to)

Hvilke af dine regler får du hits på?
Hvis du sætter en deny any any log på til sidst, kan du måske se, hvad
der bliver stoppet, når du prøver?

--
Robert Piil

Asbjorn Hojmark (25-03-2009)

Kommentar
Fra : Asbjorn Hojmark

Dato : 25-03-09 18:35

On Wed, 25 Mar 2009 10:30:46 +0100, "Peter $8450$"
<usenet@vesterbro24.invalid> wrote:

> access-list outside_access_in extended permit tcp any eq ftp host
> 192.168.42.30 eq ftp

Du skal tillade trafik til yderside-adressen, ikke inderside-adressen.

-A
--
Heroes: Vint Cerf & Bob Kahn, Leonard Kleinrock, Robert Metcalfe, Jon Postel
Links : http://www.hojmark.net/
FAQ : http://www.net-faq.dk/

Peter $8450$ (25-03-2009)

Kommentar
Fra : Peter $8450$

Dato : 25-03-09 20:42

"Asbjorn Hojmark" wrote:
> Du skal tillade trafik til yderside-adressen, ikke inderside-adressen.

Doooh - det var da en tanketorsk af de helt store!
Takker (igen) for hjælpen
Men - jeg tror dog stadig der mangler en lille ting - jeg kommer i hvert
fald stadig ikke igennem til FTP serveren :-/

--
Mvh.
Peter Bak

Asbjorn Hojmark (26-03-2009)

Kommentar
Fra : Asbjorn Hojmark

Dato : 26-03-09 07:59

On Wed, 25 Mar 2009 20:41:39 +0100, "Peter $8450$"
<usenet@vesterbro24.invalid> wrote:

> Men - jeg tror dog stadig der mangler en lille ting - jeg kommer i hvert
> fald stadig ikke igennem til FTP serveren :-/

Nå ja, din static er også forkert. Det skal være (inside,outside)
outside inside og du har lavet (outside,inside) inside outside.

For outside kan du bare 'interface' i stedet for at angive en adresse.

-A
--
Heroes: Vint Cerf & Bob Kahn, Leonard Kleinrock, Robert Metcalfe, Jon Postel
Links : http://www.hojmark.net/
FAQ : http://www.net-faq.dk/

Peter $8450$ (26-03-2009)

Kommentar
Fra : Peter $8450$

Dato : 26-03-09 09:15

"Asbjorn Hojmark" wrote:
> Nå ja, din static er også forkert. Det skal være (inside,outside)
> outside inside og du har lavet (outside,inside) inside outside.

Det havde jeg faktisk også lavet til at starte med, men da det ikke ville
virke lavede jeg det om Blink

Jeg har ændret det tilbage nu.

> For outside kan du bare 'interface' i stedet for at angive en adresse.
Det VIL den faktisk have, så det har den fået Glad

Hvis jeg laver en packet trace på interface outside med source-ip angivet
til den offentlige ip jeg har på min TDC linie, og destination IP sat til
den offentlige ip jeg har på min Energi Midt linie hvor ASA'en står, så går
den hele vejen igennem (packet type TCP, source og destination port begge
ftp). Så alt burde jo være helt perfekt, men jeg har bare stadig ikke hul
igennem til ftp på min Synology box.. Sur

Man kan fint ftp til Synology boksen fra indersiden, og boksen har
selvfølgelig ASA'en som default gateway, og kan godt sende mails via Energi
Midts SMTP server, så den burde jo være fint på nettet. Men hvis trafikken
går fint igennem ASA'en, og Synology'en også virker fint.. hvor hulen er
problemet så? :-/

Kan jeg på en smart måde slå noget logging til i ASA boksen så den kun viser
mig hvad der prøver at komme ind og ud på ftp porten, og ikke alt muligt
andet skrammel som man bare bliver forvirret af?

Btw, så ser ASA'ens konfig sådan her ud nu:

ASA Version 8.0(4)
!
hostname pbp-home
enable password *************** encrypted
passwd *************** encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.42.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group EnergiMidt
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any eq ftp host
78.156.xxx.yyy eq ftp
access-list outside_access_in extended permit tcp any eq ftp-data host
78.156.xxx.yyy eq ftp-data
access-list outside_access_in extended permit tcp any eq www host
78.156.xxx.yyy eq www
access-list outside_access_in extended permit tcp any eq 42000 host
78.156.xxx.yyy eq 42000
access-list outside_access_in extended permit udp any eq 42000 host
78.156.xxx.yyy eq 42000
access-list PeterBP_splitTunnelAcl standard permit 192.168.42.0
255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.42.0
255.255.255.0 192.168.100.0 255.255.255.128
access-list vpn_split standard permit 192.168.42.0 255.255.255.0
access-list nat0 extended permit ip any 10.100.100.0 255.255.255.0
access-list nat0 extended permit ip any 10.100.101.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN-pool 192.168.100.0-192.168.100.100 mask 255.255.255.0
ip local pool admin_pool 10.100.100.1-10.100.100.254 mask 255.255.255.0
ip local pool split_pool 10.100.101.1-10.100.101.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 10.100.100.0 255.255.255.0
static (inside,outside) tcp interface ftp 192.168.42.30 ftp netmask
255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.42.30 ftp-data
netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.42.30 www netmask
255.255.255.255
static (inside,outside) tcp interface 42000 192.168.42.51 42000 netmask
255.255.255.255
static (inside,outside) udp interface 42000 192.168.42.51 42000 netmask
255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.42.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime
seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime
kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.42.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn group EnergiMidt request dialout pppoe
vpdn group EnergiMidt localname 541106a
vpdn group EnergiMidt ppp authentication chap
vpdn username 541106a password *********
dhcpd auto_config outside
!
dhcpd address 192.168.42.100-192.168.42.130 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.239.134.10 source outside
ntp server 193.162.145.130 source outside
ntp server 193.162.159.194 source outside prefer
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.3.0254-k9.pkg 2
svc image disk0:/anyconnect-linux-2.3.0254-k9.pkg 3
svc enable
tunnel-group-list enable
group-policy PeterBP internal
group-policy PeterBP attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value PeterBP_splitTunnelAcl
group-policy AnyConnectVpnGroup internal
group-policy AnyConnectVpnGroup attributes
dns-server value 217.198.208.66 194.239.134.83
vpn-tunnel-protocol svc
webvpn
svc dtls enable
svc ask enable default svc
group-policy AnyConnectVpnGroupSplit internal
group-policy AnyConnectVpnGroupSplit attributes
dns-server value 217.198.208.66 194.239.134.83
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_split
webvpn
svc dtls enable
svc ask enable default svc
username peterbp password ********** encrypted privilege 0
username peterbp attributes
vpn-group-policy PeterBP
tunnel-group PeterBP type remote-access
tunnel-group PeterBP general-attributes
address-pool VPN-pool
default-group-policy PeterBP
tunnel-group PeterBP ipsec-attributes
pre-shared-key *
tunnel-group AnyConnectVpnGroup type remote-access
tunnel-group AnyConnectVpnGroup general-attributes
address-pool admin_pool
default-group-policy AnyConnectVpnGroup
tunnel-group AnyConnectVpnGroup webvpn-attributes
group-alias Admin enable
tunnel-group AnyConnectVpnGroupSplit type remote-access
tunnel-group AnyConnectVpnGroupSplit general-attributes
address-pool split_pool
default-group-policy AnyConnectVpnGroupSplit
tunnel-group AnyConnectVpnGroupSplit webvpn-attributes
group-alias Split enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:462a594d3e4e4f25ba636731fe5f535
: end

--
Mvh.
Peter Bak

Glenn (26-03-2009)

Kommentar
Fra : Glenn

Dato : 26-03-09 19:39

Hej Peter

Jeg har indlejret kommentarer:

Peter (8450) wrote:
....

Hvorfor indskrænkes source-porten til én enkelt? I mange praktiske
tilfælde indskrænkes den ikke (det sørger en stateful firewall for - for
tcp) - kun destinationsporten indskrænkes normalt:

Kig f.eks. på:

Opening the Ports Configuration:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080862017.shtml#open

....
> access-list outside_access_in extended permit tcp any eq ftp host
> 78.156.xxx.yyy eq ftp
> access-list outside_access_in extended permit tcp any eq ftp-data host
> 78.156.xxx.yyy eq ftp-data
> access-list outside_access_in extended permit tcp any eq www host
> 78.156.xxx.yyy eq www
> access-list outside_access_in extended permit tcp any eq 42000 host
> 78.156.xxx.yyy eq 42000
> access-list outside_access_in extended permit udp any eq 42000 host
> 78.156.xxx.yyy eq 42000
....

-

"Lidt" om FTP:

That sad old FTP thing:
http://home.nuug.no/~peter/pf/en/ftpproblem.html
Citat: "...
The short list of real life TCP ports we looked at a few moments back
contained, among other things, FTP. FTP is a sad old thing and a problem
child, emphatically so for anyone trying to combine FTP and firewalls.
FTP is an old and weird protocol, with a lot to not like. The most
common points against it, are

* Passwords are transferred in the clear
* The protocol demands the use of at least two TCP connections
(control and data) on separate ports
* When a session is established, data is communicated via ports
selected at random

All of these points make for challenges security-wise, even before
considering any potential weaknesses in client or server software which
may lead to security issues. These things have *tended* to happen.

Under any circumstances, other more modern and more secure options for
file transfer exist, such as sftp or scp, which feature both
authentication and data transfer via encrypted connections. Competent IT
professionals should have a preference for some other form of file
transfer than FTP.
...."

-

CERT® Coordination Center:
http://www.cert.org/tech_tips/ftp_port_attacks.html
Citat: "...
The site uses good security practice by separating the machines that
provide these external services from those that perform internal
services. It is important to have strong network boundaries (preferably
using firewalls)
....
Sites using dynamic packet filtering firewalls may need to take
additional steps to ensure that third-party PORT commands are blocked by
the firewall. If you need to address this problem, we encourage you to
check with your vendor to determine the steps you should take.
...."

-

Active FTP vs. Passive FTP, a Definitive Explanation:
http://www.slacksite.com/other/ftp.html

Et stykke nede:
What is the difference between Active and Passive FTP?:
http://www.scala.com/network-manager-3-faq/network-manager-3-faq-index.html
Citat: "...That's the specific problem that passive FTP is designed to
solve, however it does I believe complicate the firewall issues on the
server end..."

-

Problems with the FTP protocol:
http://www.seifried.org/security/network/20010926-ftp-protocol.html
Citat: "...
Currently vsftpd (Very Secure FTPD) is the only ftp server I know of
specifically designed with security as it's main goal.
....
Kurt: What do you think of FTP in general?
H D Moore: To be plain, FTP sucks
....
For a secure transfer protocol, I recommend scp, part of the OpenSSH
package. There are FREE windows clients available, as well as
Full-Featured GUI applications by companies like F-Secure. SCP does
incur an encryption overhead, but for most cases it is fast enough.
...."

Det er ikke kun Kurt der har denne holdning:

Firewall Configuration Prerequisites.
By Jay Beale, Lead Developer, Bastille Linux Project
(jay@bastille-linux.org), Principal Consultant JJB Security Consulting
and Training (C) 2000, Jay Beale:
http://web.archive.org/web/20070702235227/www.bastille-linux.org/jay/firewall-prereqs.html
Citat: "...
Well, there's a partial solution to this, in that you can force
everyone's clients to use "passive" mode FTP, which works like this:
....
So, this is more normal. The client is opening that second connection,
albeit to an arbitrary high (1024-65535) port on the server. *This is
better, though it now opens the server up to greater risk. See, now the
firewall on the server end has to allow all connections to high ports on
the FTP server machines*. Now, a knowledgeable admin can reduce this
port range, from 1024-65535, to something more manageable like
40,000-45,000, but this still leaves a wide port range that has to be
allowed in the server-side firewall. So, is there any hope?

Well, barring killing off FTP, there is. Stateful firewalls can watch
the data stream and understand the port negotiation. Unlike non-stateful
firewalls, which have to allow every potential port, stateful firewalls
can allow through packets destined for the specific additional data
port, at the specific "right time" in the connection.
...."

-

For firewall uden FTP-proxy (PIX/ASA-firewallene har FTP-proxy og er
stateful):

http://www.outpostfirewall.com/guide/rules/preset_rules/ftp.htm
Citat: "...
Protocol: TCP
Direction: Inbound
Local Port(s): 1024-65535
Action: Allow It

Protocol: TCP
Direction:Outbound
Remote Port(s): 1024-65535
Action: Allow It
....
But wait a minute! Doesn't this cause all kinds of problems [
*Sikkerhedsproblemer* ! ] for the server side firewall? [Dén foran
FTP-serveren]
Yes it does, but servers have away round this. Most FTP servers allow a
server administrator to specify a range of local ports [Det er en ussel
men halvgod løsning] the FTP server is allowed to open and use.
...."

PF: Issues with FTP:
http://www.openbsd.org/faq/pf/ftp.html
Citat: "...
FTP is a protocol that dates back to when the Internet was a small,
friendly collection of computers and everyone knew everyone else. At
that time the need for filtering or tight security wasn't necessary. FTP
wasn't designed for filtering, for passing through firewalls, or for
working with NAT.
....
FTP Client Behind the Firewall
As indicated earlier, FTP does not go through NAT and firewalls very well.
....
Packet Filter provides a solution for this situation by redirecting FTP
traffic through an FTP proxy server.
....
PF "Self-Protecting" an FTP Server
Packet Filter provides a solution for this situation by redirecting FTP
traffic through an FTP proxy server
....
FTP Server Protected by an External PF Firewall Running NAT
In this case, the firewall must redirect traffic to the FTP server in
addition to not blocking the required ports. In order to accomplish
this, we turn again to ftp-proxy
....
In this case, PF is running on the FTP server itself rather than a
dedicated firewall computer. When servicing a passive FTP connection,
FTP will use a randomly chosen, high TCP port for incoming data. By
default, OpenBSD's native FTP server ftpd(8) uses the range 49152 to
65535. Obviously, these must be passed through the filter rules, along
with port 21 (the FTP control port):

pass in on $ext_if proto tcp from any to any port 21 keep state
pass in on $ext_if proto tcp from any to any port > 49151 \
keep state
...."

hilsen

Glenn

Glenn (26-03-2009)

Kommentar
Fra : Glenn

Dato : 26-03-09 21:24

Glenn wrote:
> Hej Peter
>
> Jeg har indlejret kommentarer:
>
> Peter (8450) wrote:
> ....
>
> Hvorfor indskrænkes source-porten til én enkelt? I mange praktiske
> tilfælde indskrænkes den ikke (det sørger en stateful firewall for - for
> tcp) - kun destinationsporten indskrænkes normalt:
>
> Kig f.eks. på:
>
> Opening the Ports Configuration:
> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080862017.shtml#open
>
>
> ....
>> access-list outside_access_in extended permit tcp any eq ftp host
>> 78.156.xxx.yyy eq ftp
>> access-list outside_access_in extended permit tcp any eq ftp-data host
>> 78.156.xxx.yyy eq ftp-data
>> access-list outside_access_in extended permit tcp any eq www host
>> 78.156.xxx.yyy eq www
>> access-list outside_access_in extended permit tcp any eq 42000 host
>> 78.156.xxx.yyy eq 42000
>> access-list outside_access_in extended permit udp any eq 42000 host
>> 78.156.xxx.yyy eq 42000
> ....
>
....

Hej Peter

Kig også på:

PIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml

hilsen

Glenn

Peter $8450$ (26-03-2009)

Kommentar
Fra : Peter $8450$

Dato : 26-03-09 21:36

"Glenn" wrote:
> Kig også på:
> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml

Hej Glenn!

Mange tak for de mange links.. der var da lige noget læsestof jeg vil kaste
mig over i morgen eller i weekenden, og så må vi se om jeg kan få det til at
virke.

(Hvis andre har lyst til at komme med forslag til konfigurationsændringer
der kan løse problemet er de også stadig meget velkomne)

--
Mvh.
Peter Bak

Glenn (26-03-2009)

Kommentar
Fra : Glenn

Dato : 26-03-09 22:07

Peter (8450) wrote:
> "Glenn" wrote:
>> Kig også på:
>> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml
>>
>
> Hej Glenn!
>
> Mange tak for de mange links.. der var da lige noget læsestof jeg vil
> kaste mig over i morgen eller i weekenden, og så må vi se om jeg kan få
> det til at virke.
>
> (Hvis andre har lyst til at komme med forslag til
> konfigurationsændringer der kan løse problemet er de også stadig meget
> velkomne)
>

Hej Peter

PIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml

Bemærk dette fra eksemplet:
Citat: "...
static (DMZ,outside) 192.168.1.5 172.16.1.5 netmask 255.255.255.255
....
[ En sikker firewall ftp opsætning er: ]
....
There is an option to use the inspect FTP strict command. This command
increases the security of protected networks by preventing a web browser
from sending embedded commands in FTP requests.

After you enable the strict option on an interface, FTP inspection
enforces this behavior:

* An FTP command must be acknowledged before the Security Appliance
allows a new command.
* The Security Appliance drops a connection that sends embedded
commands.
* The 227 and PORT commands are checked to ensure they do not
appear in an error string.
....
Unable to Run FTPS (FTP Over SSL) across ASA

FTP with TLS/SSL (SFTP / FTPS) is not supported through the Security
Appliance. FTP connection is encrypted, so there is no way that the
firewall is able to decrypt the packet. Refer to PIX/ASA: Security
Appliance FAQ for more information.
...."

Så skal du understøtte noget med sikker ftp er der sftp:

Secure FTP, FTP/SSL, SFTP, FTPS, FTP, SCP... What's the difference?:
http://www.rebex.net/secure-ftp.net/

Vil du blot udbyde filer uden krav af kodeord kan du benytte http eller
https.

Glenn

PS:

SFTP (standard over tcp/22) skal ikke forveksles med sftp som kører over
tcp/115:

September 1984, Simple File Transfer Protocol:
http://www.networksorcery.com/enp/rfc/rfc913.txt

Asbjorn Hojmark (26-03-2009)

Kommentar
Fra : Asbjorn Hojmark

Dato : 26-03-09 23:34

On Thu, 26 Mar 2009 09:14:53 +0100, "Peter $8450$"
<usenet@vesterbro24.invalid> wrote:

> access-list outside_access_in extended permit tcp any eq ftp host
> 78.156.xxx.yyy eq ftp

Det er også forkert, for du skriver, at klienten skal bruge source-
port 21/tcp (= ftp), og det gør den ikke. Fjern port-nummer fra
source.

-A
--
Heroes: Vint Cerf & Bob Kahn, Leonard Kleinrock, Robert Metcalfe, Jon Postel
Links : http://www.hojmark.net/
FAQ : http://www.net-faq.dk/

Søg

Reklame

Statistik

Spørgsmål :	177558
Tips :	31968
Nyheder :	719565
Indlæg :	6408914
Brugere :	218888

Månedens bedste

Årets bedste

Sidste års bedste