diff --git a/docs/FTP.xml b/docs/FTP.xml index 15c4d0a65..b7491fdcb 100644 --- a/docs/FTP.xml +++ b/docs/FTP.xml @@ -294,6 +294,131 @@ xt_tcpudp 3328 0 /etc/shorewall/shorewall.conf to point to that directory. +
+ FTP with Kernel 3.5 and Later + + Because of the potential for attackers to subvert Netfilter helpers + like the one for FTP, the Netfilter team are in the process of eliminating + the automatic association of helpers to connections. In the 3.5 kernel, it + is possible to disable this automatic association, and the team have + announced that automatic association will eventually be eliminated. While + it is certainly more secure to add explicit rules that create these + associations, for Shorewall to require users to add those rules would + present a gross inconvenience during a Shorewall upgrade. To make + Shorewall and kernel upgrades as smooth as possible, several new features + were added to the Shorewall 4.5.7: + + + + Shorewall automatically disables the kernel's automatic + association of helpers to connections on kernel 3.5 and later. + + + + An automatic association of helpers with connections that + performs the same function as in the pre-3.5 kernels has been added. + This automatic association is controlled by the AUTOHELPERS + shorewall.conf option which is set to 'Yes' by default. + + + + A HELPERS column has been added to the /etc/shorewall/rules In + the NEW section: When the ACTION is ACCEPT, DNAT or REDIRECT, the + specified helper is automatically associated with the + connection. + + + + HELPERS may be specified in action files, macros and in the + rules file itself. In the RELATED section: The rule will only match + related connections that have the named helper attached. - The + standard Macros for applications requiring a helper (FTP, IRC, etc) + have been modified to automatically specify the correct helper in the + HELPER column. + + + + HELPER is now a valid action in /etc/shorewall/rules. This + action requires that a helper be present in the HELPER column and + causes the specified helper to be associated with connections matching + the rule. No destination zone should be specified in HELPER rules. + HELPER rules allow specification of a helper for connections that are + ACCEPTed by the applicable policy. + + Example (loc->net policy is ACCEPT) - In + /etc/shorewall/rules: + + #ACTION SOURCE DEST +FTP(HELPER) loc - + + or equivalently + + #ACTION SOURCE DEST PROTO DEST +# PORT(S) +HELPER loc - tcp 21 { helper=ftp } + + + + The set of enabled helpers (either by AUTOHELPERS=Yes or by the + HELPERS column) can be taylored using the new HELPERS option in + shorewall.conf. + + + + By making AUTOHELPERS=Yes the default, users can upgrade their + systems to a 3.5+ kernel without disrupting the operation of their + firewalls. Beyond such upgrades, we suggest setting AUTOHELPERS=No and + follow one of two strategies: + + + + Use the HELPERS column in the rules file to enable helpers as + needed (preferred); or + + + + Taylor the conntrack file to enable helpers on only those + connections that are required. + + + + With either of these approaches, the list if available helpers can + be trimmed using the HELPERS option and rules can be added to the RELATED + section of the rules file to further restrict the effect of helpers. The + implementation of these new function places conditional rules in the + /etc/shorewall[6]/conntrack file. These rules are included conditionally + based in the setting of AUTOHELPERS. + + Example: + + #ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH +# PORT(S) PORT(S) GROUP +?if $AUTOHELPERS && __CT_TARGET +?if __FTP_HELPER +CT:helper:ftp all - tcp 21 +?endif +... +?endif + + __FTP_HELPER evaluates to false if the HELPERS setting is non-empty + and 'ftp' is not listed in that setting. For example, if you only need FTP + access from your 'loc' zone, then add this rule outside of the outer-most + ?if....?endif shown above. + + #ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH +# PORT(S) PORT(S) GROUP +... +CT:helper:ftp loc - tcp 21 + + For an overview of Netfilter Helpers and Shorewall's support for + dealing with them, see http://www.shorewall.net/Helpers.html. + + See https://home.regit.org/netfilter-en/secure-use-of-helpers/ + for additional information. +
+
FTP on Non-standard Ports