View previous topic :: View next topic |
Author |
Message |
jgaz n00b
Joined: 14 Feb 2021 Posts: 42
|
Posted: Sun Jun 04, 2023 6:46 pm Post subject: Gentoo, inetutils, netkit, and net-tools question |
|
|
While doing writing the Gentoo wiki article on FTP, I noticed Gentoo lacked ftpd anywhere in portage. This got me digging through old copies of Slackware until I found it was part of inetutils. My darned ADHD kicked in and I started digging through the package list and noticed that there was a lot of overlap between what the still maintained inetutils provides and what the (possibly orphaned upstream) netkit package and the much less frequently released net-tools provides. Is there a reason why Gentoo lacks a inetutils package? Would it be an especially difficult (or fool hardy) task to add it? |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Mon Jun 05, 2023 9:01 am Post subject: |
|
|
Ftpd denotes an ftp daemon or server.
Gentoo has plenty
Code: |
* net-ftp/proftpd
Available versions: 1.3.8^t (~)1.3.8-r1^t {acl authfile ban +caps case clamav copy ctrls deflate diskuse dso dynmasq exec ident ifsession ifversion ipv6 kerberos ldap log-forensic memcache msg mysql ncurses nls pam +pcre postgres qos radius ratio readme rewrite selinux sftp shaper sitemisc snmp sodium softquota sqlite ssl tcpd test unique-id vroot}
Homepage: http://www.proftpd.org/ http://www.castaglia.org/proftpd/ https://github.com/jbenden/mod_clamav http://gssmod.sourceforge.net/
Description: An advanced and very configurable FTP server
* net-ftp/pure-ftpd
Available versions: 1.0.51-r2 **9999*l {anondel anonperm anonren anonres caps implicittls ldap mysql noiplog pam paranoidmsg postgres resolveids selinux ssl sysquota vchroot xinetd}
Homepage: https://www.pureftpd.org/project/pure-ftpd/
Description: Fast, production-quality, standard-conformant FTP server
* net-ftp/uftpd
Available versions: (~)2.15-r1^t {test}
Homepage: https://github.com/troglobit/uftpd
Description: The no nonsense TFTP/FTP server
[I] net-ftp/vsftpd
Available versions: 3.0.5-r1 {pam ssl tcpd}
Installed versions: 3.0.5-r1(01:04:35 PM 05/19/2022)(pam ssl -tcpd)
Homepage: https://security.appspot.com/vsftpd.html
Description: Very Secure FTP Daemon
|
Just use vsftpd. _________________
|
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4249 Location: Bavaria
|
Posted: Mon Jun 05, 2023 10:09 am Post subject: |
|
|
jgaz,
I have seen you have updated your wiki article: https://wiki.gentoo.org/wiki/FTP with firewall rules. Maybe it would be more secure if you work with connection tracking; and then you would need:
Code: | CONFIG_NF_CONNTRACK_FTP
[...]
Depends on: NET [=y] && INET [=y] && NETFILTER [=y] && NF_CONNTRACK [=y] |
(Just an idea; thanks for all your work in our Wiki ! ) |
|
Back to top |
|
|
sam_ Developer
Joined: 14 Aug 2020 Posts: 1685
|
Posted: Mon Jun 05, 2023 10:14 am Post subject: |
|
|
I do plan on adding inetutils, but I'd appreciate a PR if you want to do it. |
|
Back to top |
|
|
jgaz n00b
Joined: 14 Feb 2021 Posts: 42
|
Posted: Wed Jun 07, 2023 11:58 pm Post subject: |
|
|
pietinger wrote: | jgaz,
I have seen you have updated your wiki article: https://wiki.gentoo.org/wiki/FTP with firewall rules. Maybe it would be more secure if you work with connection tracking; and then you would need:
Code: | CONFIG_NF_CONNTRACK_FTP
[...]
Depends on: NET [=y] && INET [=y] && NETFILTER [=y] && NF_CONNTRACK [=y] |
(Just an idea; thanks for all your work in our Wiki ! ) |
I updated the firewall rules section to something that should be correct. It does use conntrack for Passive mode. I've read a lot of old docs that say --sport 1024: --dport 1024: is correct as that's where the ephemeral ports range used to be. I would expect that to be --sport 32768: --dport 32768: these days. I'm not sure if I should update the firewall rules to reflect that or if that's touchy because it might work on some clients and break others. Do you have any insight?
Also, what is the location of the configuration file you're mentioning? I don't touch firewall rules on the OS all that often — most of that is done at the switch level these days. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4249 Location: Bavaria
|
Posted: Thu Jun 08, 2023 11:56 am Post subject: |
|
|
jgaz,
here is the solution if you work with NF_CONNTRACK_FTP. If you have NF_CONNTRACK_FTP enabled in your kernel configuration you can do:
Code: | iptables -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
You dont need the last line (OUTPUT) if you dont want filtering outgoing traffic (then you allow ALL outgoing). INSTEAD of the first rule you can do also (but its deprecated):
Code: | sysctl net.netfilter.nf_conntrack_helper=1 |
I have two great links (which explains it better than I could):
http://slacksite.com/other/ftp.html
https://home.regit.org/netfilter-en/secure-use-of-helpers/
P.S.: If you use nftables this link tells all what you need:
https://wiki.nftables.org/wiki-nftables/index.php/Conntrack_helpers |
|
Back to top |
|
|
|