 |
 |
 |
 |
 |
 |
Ftp belongs to a number of protocols which are almost impossible to filter in a good manner. Passive ftp is the only alternative for outbound traffic, but normal ftp for inbound traffic (it all depends on protocol design and how port numbers are allocated and used). Problems appear when one need to connect to ftp servers without support for passive ftp, uses clients without support for passive ftp or when connecting between two networks using filters for only outbound passive ftp, but not normal ftp.
The only way out is to use a proxy for ftp and continue to filter the other protocols as usual. Outbound ftp is filtered out and is only allowed to the inside of the Bifrost machine, which will use an ftp proxy to retransmit packets to the outside. Incoming traffic to internal ftp servers can continue to be opened for normal ftp, but not for passive ftp (which would open up the internal net a bit too much).
FWTK's ftp-gw works fine as an ftp proxy. The only problem is the license which prohibits us from redistributing the binaries and source. Each one who wishes to use the ftp-gw, must retreive FWTK and compile ftp-gw themselves.
To download FWTK one must send an e-mail with the following content:
To: fwtk-request@tislabs.com Subject: accepted
It must only contain the word accepted and be directed to the address fwtk-request@tislabs.com. The reply will contain the temporary location of fwtk2.1.tar.Z. Unpack the source code and do the following:
cp Makefile.config.linux Makefile.config make
The compilation will only have to go as far as creating libauth.a, libfwall.a and ftp-gw. Copy ftp-gw to the Bifrost distribution under the location of /usr/etc. Yet another useful proxy is the all purpose plug-gw, which will redirect packets to a predefined destination.
ftp-gw supports incoming normal and passive ftp, but will connect itself to the destination using normal ftp only. Examples of how to use the proxy (WS-FTP and similar are also possible to use):
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
% ncftp -u ftp@ftp.sunet.se fw.domain.se
NcFTP 3.0.0 beta 14 (June 25, 1998) by Mike Gleason.
Connecting to 10.10.10.1...
Password for user "ftp@ftp.sunet.se" at 10.0.10.1: <password>
Logging in...
Swedish University Network SUNET
Archive ftp.sunet.se
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
or:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - % ftp fw.domain.se Connected to fw.domain.se. 220 Name (fw.domain.se:user): ftp@ftp.sunet.se 331-(----GATEWAY CONNECTED TO ftp.sunet.se----) 331-(220 ftp2.sunet.se FTP server (Version wu-2.4.2-sunet-jh[B18-VR10](1) Tue Nov 3 15:12:30 MET 1998) ready.) 331 Guest login ok, send your complete e-mail address as password. Password: <password> 230- 230- Swedish University Network SUNET 230- Archive ftp.sunet.se - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -