Discussion:
[Proftpd-user] Relaxed AllowForeignAddress option
Dmitry Katsubo
2017-04-15 00:59:28 UTC
Permalink
Dear ProFTPd users,

I have come across the problem when ProFTPd is configured to use given address (say, 77.10.11.12) for masquerading to be able to serve external users in passive mode, while rejecting users from internal network with message:

SECURITY VIOLATION: Passive connection from 77.10.11.12 rejected

Actually, in my network setup local users are able to set packages to external IP address, which are looped back by NAT. However ProFTPd considers this a security violation for good reason. On the other side I cannot apply the solution from [1] using e.g. <VirtualHost 10.0.0.5>, as the server which is running ProFTPd is different from NAT/gateway and it doesn't own the external address 77.10.11.12. So the only way out (except forcing the clients to use active connection) is to use

AllowForeignAddress on

In this respect I would like to suggest to introduce an extra option value:

AllowForeignAddress off # All unmatched connections are rejected
AllowForeignAddress relaxed # Data connections from the same IP as control connection + from masqueraded IP are accepted
AllowForeignAddress strict # Only data connections from the same IP as control connection are accepted

Maybe from security perspective the difference between relaxed and strict is minimal... any considerations are welcomed. Thanks!

[1] http://www.proftpd.org/docs/howto/NAT.html
--
With best regards,
Dmitry
Matus UHLAR - fantomas
2017-04-19 09:43:42 UTC
Permalink
Post by Dmitry Katsubo
I have come across the problem when ProFTPd is configured to use given
address (say, 77.10.11.12) for masquerading to be able to serve external
users in passive mode, while rejecting users from internal network with
SECURITY VIOLATION: Passive connection from 77.10.11.12 rejected
Actually, in my network setup local users are able to set packages to
external IP address, which are looped back by NAT. However ProFTPd
considers this a security violation for good reason. On the other side I
cannot apply the solution from [1] using e.g. <VirtualHost 10.0.0.5>, as
the server which is running ProFTPd is different from NAT/gateway and it
doesn't own the external address 77.10.11.12. So the only way out (except
forcing the clients to use active connection) is to use
AllowForeignAddress on
AllowForeignAddress off # All unmatched connections are rejected
this does already exist
Post by Dmitry Katsubo
AllowForeignAddress relaxed # Data connections from the same IP as control connection + from masqueraded IP are accepted
can't your NAT device translate also data connections?
It should be able to do so.
Post by Dmitry Katsubo
AllowForeignAddress strict # Only data connections from the same IP as control connection are accepted
this is the same as "AllowForeignAddress off"
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.
Dmitry Katsubo
2017-04-20 22:30:28 UTC
Permalink
Post by Matus UHLAR - fantomas
Post by Dmitry Katsubo
AllowForeignAddress relaxed # Data connections from the same IP as control connection + from masqueraded IP are accepted
can't your NAT device translate also data connections?
It should be able to do so.
Thanks for the reply.

I am not sure how it could be implemented. In two words, Internet gateway (= NAT) will use its own internal address, which will not match the client's anyway. Example:

* Client with IP address 10.0.0.5 sends request to 77.10.11.12:21. Default route is via NAT with IP address 10.0.0.1.
* NAT translates the destination address to FTP server (10.0.0.100) however it will also translate the source address, so FTP server will see that the request comes from 10.0.0.1 (instead of 10.0.0.5) and will trigger the mismatch.

Similar explanation: https://www.frozentux.net/iptables-tutorial/chunkyhtml/x4033.html
Post by Matus UHLAR - fantomas
Post by Dmitry Katsubo
AllowForeignAddress strict # Only data connections from the same IP as control connection are accepted
this is the same as "AllowForeignAddress off"
Two of three options are repeating the existing functionality. "off" could be an alias to "strict".

Another alternative is to introduce the list of "whiltelist" IP addresses – this could be helpful when indeed one FTP server sends the data to another FTP server while being orchestrated by some client. For example:

AllowForeignAddress 10.0.0.1,10.0.0.2,192.168.1.0/24
--
With best regards,
Dmitry
Matus UHLAR - fantomas
2017-04-21 15:54:46 UTC
Permalink
Post by Dmitry Katsubo
Post by Matus UHLAR - fantomas
Post by Dmitry Katsubo
AllowForeignAddress relaxed # Data connections from the same IP as control connection + from masqueraded IP are accepted
can't your NAT device translate also data connections?
It should be able to do so.
Thanks for the reply.
* Client with IP address 10.0.0.5 sends request to 77.10.11.12:21. Default route is via NAT with IP address 10.0.0.1.
* NAT translates the destination address to FTP server (10.0.0.100) however it will also translate the source address, so FTP server will see that the request comes from 10.0.0.1 (instead of 10.0.0.5) and will trigger the mismatch.
the NAT gateway should translate all PASV/EPSV/PORT/EPRT commands, so the
connections will go through the NAT gateway. Both client and server will
communicate with IP of the gateway (not with each other), so no mismatch
will happen.


if you are unable to fix the NAT gateway, it should be possiblt to work
around your problem by defining class for your internal network:
http://www.proftpd.org/docs/howto/Classes.html

and by allowing foreign address to your internal network by using
mod_ifsession and <IfClass> directive.
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.
Dmitry Katsubo
2017-04-22 19:50:43 UTC
Permalink
Post by Matus UHLAR - fantomas
Post by Dmitry Katsubo
Thanks for the reply.
I am not sure how it could be implemented. In two words, Internet gateway
(= NAT) will use its own internal address, which will not match the
* Client with IP address 10.0.0.5 sends request to 77.10.11.12:21. Default
route is via NAT with IP address 10.0.0.1.
* NAT translates the destination address to FTP server (10.0.0.100) however
it will also translate the source address, so FTP server will see that the
request comes from 10.0.0.1 (instead of 10.0.0.5) and will trigger the
mismatch.
the NAT gateway should translate all PASV/EPSV/PORT/EPRT commands, so the
connections will go through the NAT gateway. Both client and server will
communicate with IP of the gateway (not with each other), so no mismatch
will happen.
I understand the idea. It is possible on Linux [1], however my NAT does not
support "active" modification of the e.g. PASV command. More over I am using
secured FTP (FTPS), which naturally does not allow this kind of tricks.
Post by Matus UHLAR - fantomas
if you are unable to fix the NAT gateway, it should be possible to work
http://www.proftpd.org/docs/howto/Classes.html
and by allowing foreign address to your internal network by using
mod_ifsession and <IfClass> directive.
Thanks! That is the most elegant solution. Pity it is missing in [2] otherwise I
would have explored it. I have applied below configuration and it seems to work
fine from the first glance:

MasqueradeAddress 77.10.11.12


<IfModule mod_ifsession.c>
<Class internal>
From 10.0.0.0/8
</Class>


<IfClass internal>
MasqueradeAddress 10.0.0.100
</IfClass>
</IfModule>


[1] http://www.shorewall.net/FTP.html#Conntrack
[2] http://www.proftpd.org/docs/howto/NAT.html
--
With best regards,
Dmitry
TJ Saunders
2017-04-26 02:28:30 UTC
Permalink
Post by Dmitry Katsubo
Post by Matus UHLAR - fantomas
if you are unable to fix the NAT gateway, it should be possible to work
http://www.proftpd.org/docs/howto/Classes.html
and by allowing foreign address to your internal network by using
mod_ifsession and <IfClass> directive.
Thanks! That is the most elegant solution. Pity it is missing in [2] otherwise I
would have explored it. I have applied below configuration and it seems to work
MasqueradeAddress 77.10.11.12
<IfModule mod_ifsession.c>
<Class internal>
From 10.0.0.0/8
</Class>
<IfClass internal>
MasqueradeAddress 10.0.0.100
</IfClass>
</IfModule>
[1] http://www.shorewall.net/FTP.html#Conntrack
[2] http://www.proftpd.org/docs/howto/NAT.html
The above is indeed the solution I was going to suggest: using Classes
and mod_ifsession.

And I have now updated the NAT howto to include this as an example:

http://www.proftpd.org/docs/howto/NAT.html#UsingClasses

Cheers,
TJ

Loading...