[ Home | Liste | F.A.Q. | Risorse | Cerca... ]


[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]


Archivio: openbsd@sikurezza.org
Soggetto: Re: OpenBSD e Ftp
Mittente: Paolo Bianchi
Data: 3 Jan 2002 19:46:08 -0000
Leggendo la faq ho trovato qualcosa relativo al tuo problema...

Issues with FTP and NAT
There are a few limitations of NAT, the most commonly encountered is with
FTP. You can use FTP in two ways: passive and active. Of these, passive FTP
is generally considered more secure.

With active FTP, when a user connects to a remote FTP server and requests
information or file, the FTP client sends the server a random port number
that the the FTP server will make a connection to on the client and transfer
the info. This is a problem for users attempting to gain access to FTP
servers from within the LAN. When the FTP server sends its information it
sends it to the external NIC at a random port. The NAT machine will receive
this, but because it has no mappings for the unknown packet and doesn't have
any mappings for that port, it will drop the packet and won't deliver it.

With passive mode FTP (the default with OpenBSD ftp(1) client), the client
requests that the server picks up a random port that it will listen on for
the data connection. The server informs the client of the port it has
chosen, and the client connects to this port to transfer the data.
Unfortunately, this is not always possible or desirable. ftp(1) uses this
mode by default; to force active mode FTP, use the -A flag to ftp, or set
the passive mode to off by issuing the command

passive off

at the ftp> prompt.

Packet Filter provides another solution for this situation, redirecting FTP
traffic through an FTP proxy server, a process which acts to "guide" your
FTP traffic through the filters. The FTP proxy used by OpenBSD and PF is
ftp-proxy(8). To activate it, put something like this in your /etc/nat.conf
file:

rdr on tl0 from any to any port 21 -> 127.0.0.1 port 8081

Short explanation of this line is, "Traffic on the internal interface is
redirected to the proxy server running on this machine which is listening at
port 8081".

Hopefully, it is apparent the proxy server has to be started and running on
the OpenBSD box, this is done by inserting the following line in
/etc/inetd.conf:

8081 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy

and either rebooting the system or sending a 'HUP' signal to inetd(8). One
way to send the 'HUP' signal is with the command:
kill -HUP `cat /var/run/inetd.pid`

You will note that ftp-proxy is listening on port 8081, the same port the
above rdr statement was sending FTP traffic to. The choice of port 8081 is
arbitrary, though 8081 is a good choice, as it is not defined for any other
application.


Spero ti possa aiutare, http://www.openbsd.org/faq/faq6.html#6.3

Ciao,

Paolino


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List




[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005