A couple of good points have been made which I though I'd summarise.
Firstly, my original table was unclear -- by in/out bound I should
have clearly indicated that I meant directionality in the sense of connection
origination. That is 'inbound >1023 -> 20' means, allow someone on the
outside to create a connection to the inside, from ports >1023 to port 20.
Secondly, the 'normal' approach does imply that the FTP server needs
to have root privilege available to it to bind to port 20 to originate the
data connection. I had not thought of this and was, as is my
packet-filtering-centric habit, thinking mostly in terms of port-range
exposure.
Thirdly, I have ignored everything except the data connection,
since (as far as I know) this is where the differences here lie, everything
else is the same.
So, I think, the summary looks something like:
- PASV is good for the client, since the client controls the
connections (originates both control & data conections), but at a cost
of increased port-range exposure. It's less good or the server due to
port-range exposures, but does not require rootly servers, and the server
is pretty well hanging out there in the breeze anyways, what's a little
more exposure.
- Normal is good for everyone in terms of port exposure, but requires
that the client admit inbound connections, and requires the server to have
root privileges.
- Normal/modified (same as normal, but server originates from
non-privileged port, not port 20) is the same as Normal, but with
increased port range exposure, and no rootness on the server.
In selecting an FTP server model, one needs (apparently) to trade
off:
- root privileges in the daemon
- port range exposures to the outside
- port range exposure between the FTP server and your internal net
If you can't filter between the server and your internal net, on
source port, I think you pretty much have to go with the modified model
that does not use port 20. If you can, the the tradeoff seems to be between
root privilege and port-range exposure. I haven't quite worked out where
stateful filters/firewalls that snoop PORT commands go, but they probably
make the port-range exposure differences go away, I think.
My apologies to those readers who have found my thinking out loud
tedious. I hope that at least some readers have been trying to work out
just what the issues here are as well and have found the conversation
and my ramblings somewhat better than useless.
Andrew
|
|
