|
|||
jails, aliasing, router, and dmz?
I was wondering,
I want to set up an ftpd. My freebsd computer is behind a router and i dont really know enough about firewalls to set one up properly although im starting to read up on pf lately and hopefully before too long understand it better. I have jails set up finally and am running httpd on one, and an ftpd on another. My host is pretty much not running any open connections anymore (besides ssh) now that I know how to jail them. How much of a security risk is it, and is it even possible, to have the ip of the ftpd set in the dmz on my router? im running pureftpd and want to know exactly how much of a risk that is. That is the only open connection on that jail. I dont even have ssh running in it. Im just learning now so please bear with me. Thanks. |
|
|||
It's possible, but security is always a debatable topic... the real question is, why do you want to "dmz" the "jail" if it's only running an ftpd?
Only tcp ports 20 and 21 need to be forwarded. |
|
|||
Well I dont know how crazy this is, but im not running it on port 21. Im running it on a much higher port and in passive mode. It seems to use allot of data ports. I dont really know wtf im doing so it may be easier to solve this problem than I think. As it sits, I have "LOTS" of data ports forwarded to that ip along with the data ports being regulated by the ftpd itself.
|
|
|||
What you're looking for is ftp-proxy(8).
I agree, ftp is a horrible protocol... active mode causes problems with NAT, and passive mode causes problems with firewalls. |
|
|||
ftp uses 2 separated connections
Since my house move I don't have access to a FBSD box, but in OpenBSD the ports suggested by the ftp server for passive ftp channels is set by the following sysctls in blue Code:
net.inet.ip.portfirst=1024 net.inet.ip.portlast=49151 net.inet.ip.porthifirst=49152 net.inet.ip.porthilast=65535 ftp-proxy needs to run on a dedicated pf firewall with 2 NICs. It can neither run on a ftp client box, nor on a ftp server box.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Thanks for the reply's. Ive been reading on this the last two days and this is all why im looking to put the ftpd in the dmz. I just wonder how this can compromise the security of the rest of the box.
|
|
||||
> this is all why im looking to put the ftpd in the dmz. I just wonder how this can compromise the security of the rest of the box.
looks like you are not clear about dmz. see: http://en.wikipedia.org/wiki/Demilit...one_(computing) |
|
|||
http://en.wikipedia.org/wiki/Demilit...ne_(computing) Your link failed so I put it here. I am clear about dmz (sort of ) In theory it would be optimal to have a seperate server in the dmz running the different services, (www, ftpd, etc). Well since I only have one computer with the possibility of running these services I placed the services in jails which act as the outside computers. What I dont understand is, with a jail being placed in this dmz, how secure are the jails themselves as far as the host is concerned? Is is difficult to secure your main host computer from these jails in case they do get compromised? That is more what I dont understand. Last edited by neurosis; 22nd August 2008 at 06:06 PM. |
|
|||
I guess the first questions are, how is anyone going to know the IP of the ftp jail and are you the only one that is using ftp?
|
|
|||
Quote:
I use it for transferring files for work. There are only a few people that use the ftpd. This isnt a necessary solution for me and the reason I set it up is mostly for learning purposes. Same as the httpd that I set up. Its not needed but im trying to give myself a simple education of networking and security. |
|
|||
Quote:
I understand what your saying and with my limited knowledge im trying to make myself understand this as best that I can. I wondered about what you were saying when I started all of this since I knew that I was using one computer (there are actually three compters on my LAN) to run freebsd with the two jails set up, one running httpd, and one running ftpd. They are indeed part of my internal network. I have been port forwarding the necessary ports to the jails and pretty much have only one port forwarded to the freebsd host itself and "NO" ports forwarded to the rest of the nework. One thing that the router does allow me to do, is put the ip of the jail running the ftpd in the DMZ. This is where the confusion started for me and where I may be getting myself confused. Once I put that jails ip in the DMZ on the router, I was able to port scan my external ip from my work computer and it showed that the ftpd port was open. I took that ip out of the dmz immediately until I could get a better understanding of how all of this worked together. |
|
|||
Okay, I see where you are now. May I make a suggestion? Let's harden the server first ..... http://www.daemonforums.org/showthread.php?t=118
In that thread there is a link to http://www.bsdguides.org/guides/free...ity/harden.php And, Lockdown http://www.freebsd.org/cgi/ports.cgi...down&stype=all |
|
||||
Quote:
Last edited by ephemera; 22nd August 2008 at 08:29 PM. |
|
|||
Thats what I do now. I forward the port that the ftpd is listening to which is not port 21. but I also have to forward a data port range and it some times causes problems for some ftp clients.
Thanks also hunter. Ive been reading a few of those threads already. They are very informative. |
|
||||
And if you go the scp/sftp route, you can stick that service in a jail and give the user(s) scponly shells if you'd like.
Avoid ftp unless you legitimately require it. (There are still uses for it... like download mirrors.)
__________________
Kill your t.v. |
|
|||
Ok, not to start this thread over but I finally have a pc to run "outside" of my router. This will be a test in patience for me for sure. Im going to set up two or three jails on this pc and only allow connections to this pc inside of the jails. I will be attempting to setup a gateway with a firewall that works basically like a router allowing only solicited traffic to and from my linksys router but also limiting connections to this pc with the firewall. This should be fun. My biggest curve will be getting the pc set up as a gateway and get port forwarding setup (very few ports) and not lock my other computers from the net. Setting up a gateway sounds like it should be easy? My first question on this, would it be easiest to setup dhcpd to assign the router an ip address? Is there a better way? Most write ups I find use dhcpd but with only one router connecting through the freebsd firewall/gateway it doesnt seem necessary to set up dhcpd? I am also finding that the writeups explain different ways to get the same results and the routing is leaving me a bit confused. some seem to use natd
Code:
ifconfig_(WAN nic) = "DHCP" (assuming your ISP provides you with a dynamic IP address) ifconfig_(LAN nic) = "inet XXX.XXX.X.XXX netmask 255.255.255.0" (I used 192.168.1.1) gateway_enable="YES" firewall_enable="YES" firewall_script="/etc/rc.nat" firewall_type="OPEN" natd_enable="YES" natd_interface="(WAN nic)" natd_flags="-dynamic" Code:
The NAT Next we want to set up Network Address Translation for other devices on our internal network. NAT allows many internal clients to share one internet address. To do this, we need to add some more lines to /etc/rc.conf: gateway_enable="YES" ipnat_enable="YES" ipnat_program="/sbin/ipnat" ipnat_rules="/etc/ipnat.rules" ipnat_flags="" Pretty much like the firewall stuff, but this time the rules are in /etc/ipnat.rules. NAT is really easy to set up. We want to allow anything on 172.16.0.0/16 to use the internet, so our rule is: map dc0 172.16.0.0/16 -> dc0/32 portmap tcp/udp auto map dc0 172.16.0.0/16 -> dc0/32 proxy port ftp ftp/tcp The first line maps internet access outbound on dc0 to appear from "dc0/32", which is shorthand for "the IP address currently associated with the interface dc0". The second line will proxy outbout ftp access. This is necessary if you don't want to have to use passive ftp all the time because the ftp protocol sucks. To get ipnat up and running, do: # /etc/rc.d/routing start # /etc/rc.d/ipnat start At this point, any client on the 172.16.0.0 network which has a netmask of 255.255.0.0 or stricter and 172.16.3.200 as its router should be able to access the internet, with its packets being "mapped" by the NAT setup on the firewall machine. Code:
If we look at the routing table for RouterA we would see something like the following: % netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 10.0.0.1 UGS 0 49378 xl0 127.0.0.1 127.0.0.1 UH 0 6 lo0 10.0.0/24 link#1 UC 0 0 xl0 192.168.1/24 link#2 UC 0 0 xl1 With the current routing table RouterA will not be able to reach our Internal Net 2. It does not have a route for 192.168.2.0/24. One way to alleviate this is to manually add the route. The following command would add the Internal Net 2 network to RouterA's routing table using 192.168.1.2 as the next hop: # route add -net 192.168.2.0/24 192.168.1.2 Now RouterA can reach any hosts on the 192.168.2.0/24 network. 32.2.5.2 Persistent Configuration The above example is perfect for configuring a static route on a running system. However, one problem is that the routing information will not persist if you reboot your FreeBSD machine. The way to handle the addition of a static route is to put it in your /etc/rc.conf file: # Add Internal Net 2 as a static route static_routes="internalnet2" route_internalnet2="-net 192.168.2.0/24 192.168.1.2" The static_routes configuration variable is a list of strings separated by a space. Each string references to a route name. In our above example we only have one string in static_routes. This string is internalnet2. We then add a configuration variable called route_internalnet2 where we put all of the configuration parameters we would give to the route(8) command. For our example above we would have used the command: # route add -net 192.168.2.0/24 192.168.1.2 so we need "-net 192.168.2.0/24 192.168.1.2". As said above, we can have more than one string in static_routes. This allows us to create multiple static routes. The following lines shows an example of adding static routes for the 192.168.0.0/24 and 192.168.1.0/24 networks on an imaginary router: static_routes="net1 net2" route_net1="-net 192.168.0.0/24 192.168.0.1" route_net2="-net 192.168.1.0/24 192.168.1.1" should I post this question in another area of the forum or start a new thread on it since its not 100% related to the original question? Last edited by neurosis; 7th November 2008 at 09:26 PM. |
Tags |
ftp, jail |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Updating FreeBSD Jails after rebuilding world on host | anomie | Guides | 0 | 10th September 2008 03:23 AM |
Jails, ezjail, apache, very newbie question. | neurosis | FreeBSD General | 15 | 23rd August 2008 01:38 PM |
Jails - mount: /usr/home: No such file or directory | chris | FreeBSD General | 6 | 6th August 2008 10:47 PM |
jails "design" ? | bgobs | FreeBSD General | 2 | 16th June 2008 01:29 AM |
Keeping ports in multiple jails up to date | cajunman4life | FreeBSD Installation and Upgrading | 1 | 9th May 2008 11:51 PM |