FTP - allowing only certin ip's/subnets

[fds09w4jih4r]

Since we require an anonymous config for our FTP client. This presents security issues of course. Is there some way to allow only certain IP's or IP ranges to access the FTP port?

 

[Samuel Tai]

See http://www.proftpd.org/docs/directives/linked/config_ref_Allow.html. In the FTP service's Auxiliary parameters, you could specify:

Code:

<Limit LOGIN>
  Order allow,deny
  Allow from 128.44.26.,128.44.26.,myhost.mydomain.edu,.trusted-domain.org
  Deny from all
</Limit>

 

[Tigersharke]

Similarly, any firewall device should make it relatively easy to limit access via its own configurations. If it were me, I would do both.

 

[fds09w4jih4r]

Similarly, any firewall device should make it relatively easy to limit access via its own configurations. If it were me, I would do both.

That's, not an option here.. The goal here is to restrict to the lab machines and not expose the machine to the wider corp network..

 

[fds09w4jih4r]

See http://www.proftpd.org/docs/directives/linked/config_ref_Allow.html. In the FTP service's Auxiliary parameters, you could specify:

Code:

<Limit LOGIN>
  Order allow,deny
  Allow from 128.44.26.,128.44.26.,myhost.mydomain.edu,.trusted-domain.org
  Deny from all
</Limit>

Does this survive system reboots? service restarts? Possibly not, but I can utilize it none the less..

 

[Fredda]

That's, not an option here.. The goal here is to restrict to the lab machines and not expose the machine to the wider corp network..

Why not? Depends a little bit what you understand when talking about firewall. You could use the included packetfilter.
Assuming your LAB machines are in the 192.168.1.1/24 range:

Code:

ipfw -q add 1000 allow ip from 192.168.1.1/24 to any 21 in
ipfw -q add 1002 deny ip from any to any 21 in

Untested. Use at your own risk. This won't survive a reboot but you can but it in a postinit script in the tasks section.

 

[Samuel Tai]

Does this survive system reboots? service restarts? Possibly not, but I can utilize it none the less..

Yes to both, as adding this via the GUI means this setting is saved in the FreeNAS database.

 

[fds09w4jih4r]

Yes to both, as adding this via the GUI means this setting is saved in the FreeNAS database.

This doesn't really work.. Since when you paste the correct line in, you do see it show up in the ./etc/local/proftpd.conf fine.. Then when you restart the service its still there.. But the same rule, allowing everything is already higher up in the file and likely this we are putting isn't taking effect... It would be good to know where the proftp is pulling its new settings from upon a restart of the service...

 

[Samuel Tai]

OK, looking at the proftpd.conf, it also mentions mod_wrap. Try setting hosts.allow and hosts.deny per http://www.proftpd.org/docs/contrib/mod_wrap2_file.html. Remove the previous Auxiliary Parameters.