BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


Securing Small Networks with OpenBSD Downloading Files from Behind the Firewall
(and Educating Your Users How To Do It)

by Jacek Artymiak
12/19/2002

So you've raised your firewall high and wide in order to keep nasties away from your users. You walk proud and smile to yourself thinking that you are doing a great job protecting your users. But suddenly your users are not happy. Why? They complain that many download links they used to transfer software or documents, especially via FTP, don't work anymore. Something's wrong with the network. Could you fix it? Pronto!

What's wrong? Why some of the downloads are working while others are not? Well, it is true that the problem lies in the firewall configuration that prevents the FTP server from establishing a connection to the client machine, and you could fix it in about 15 minutes by installing FTP proxy. But that adds yet another piece of software to configure and watch for bugs and updates. You may not want to do it thinking (quite rightly) that adding yet another link to the overall security chain adds to its complexity, which is turn lowers the level of protection of your network. Also, the proxy will not solve all problems with tricky downloads, and your users will still be blaming you even though it's not your fault.

Instead of messing with your firewall configuration, try a different approach. Educate users how to download files using better tools than web browsers. You could organize tutorial sessions for them, but if you are short of time, you can just as well create a support page that explains this in detail. You do have an internal web server for publishing announcements and other internal publications, don't you? This article should be enough to get you going. If you are really too busy to write such tutorials yourself, you can always link to this article.

Also in Securing Small Networks with OpenBSD:

Changes in pf: Packet Filtering

Changes in pf: More on NAT

NAT with pf

Patching OpenBSD

TRUSTSECURE 2002 Report

Command-line Utilities

If your users are not afraid of the command line, you could teach them how to download files using ftp, wget, or curl. All of these tools are either installed with the system or available at no charge. But, most importantly, all of these tools are far more powerful than any GUI application.

My own experience shows that by far the easiest command-line application that downloads files which are impossible to download using a web browser is curl. The reason for this is quite simple; in its default configuration, curl works in passive mode which does not conflict with firewalls. Therefore, if you want to have peace of mind, and not keep on answering user's questions, show them how to use this tool. And teaching someone to use it is very easy. All a user needs to do is open the terminal window, type curl -LO, paste the URL to the file (copied by right-clicking or Ctrl-clicking and choosing "Copy Link to Clipboard"), and hit Return.

Mac OS X users are the administrator's dream in that respect, because the system comes with curl pre-installed. All they need to do is start the Terminal application (Macintosh HD:Applications:Utilities), type curl and paste the link to the file they want to retrieve, like this:

[localhost:~] mox% curl -LO
ftp://ftp.foo.bar/pub/macosx/p01.hqx

The -L option tells curl to follow links when the original link does not point directly to the file and the -O option instructs curl to save the downloaded file under the same name it has on the remote server.

Users of Linux or *BSD systems can install cURL using an appropriate package manager, and users of Microsoft Windows can get cURL binaries from the project's home page.

Another favorite is wget, whose main application is mirroring web sites. It can be just as well used to download single files. Using wget is similar to using curl: type wget, paste the link to the file, and hit Return:

$ wget http://www.foo.bar/files/macosx/p01.hqx

Care must be taken when downloading files from ftp servers. In such cases, your users must add the --passive-ftp option, as in:

$ wget --passive-ftp ftp://ftp.foo.bar/pub/macosx/p01.hqx

The wget utility is available for all operating systems, and users of Linux or *BSD systems can install it using an appropriate package manager. Users of Microsoft Windows can get wget binaries from this page.

If your users like the standard ftp command, you only need to tell them to use the passive command:

$ ftp
ftp> passive
Passive mode: off; fallback to active mode: off.
ftp> open ftp.ora.com
Connected to ftp.ora.com.
220 ProFTPD 1.2.5 Server (O'Reilly FTP Server) [tornado.east.ora.com]
Name (ftp.ora.com:mox): 
... 

GUI Options

If you're blessed (or cursed?) with managing users who do not want to learn command-line tools, you can always let them install a download manager and an FTP utility. Make sure you point them to one of each from your intranet support page. (If you give users more choice, you will be busy supporting several programs: you do not want that.) Create a simple tutorial page that teaches them how to configure such software -- use screenshots -- and how to set FTP into passive mode. I recommend that you tell people to install a good FTP client alongside a download manager, because FTP clients are more flexible. For example, users can browse local and remotes filesystem, and can upload files, which is not possible with download managers.

Don't forget about licensing. If your budget is low, try freeware solutions, otherwise check if there are shareware solutions available whose authors offers reasonable site licenses (always less expensive than multiple single-user licenses).

You can learn more about FTP and why your firewall interferes with it from TCP/IP Illustrated, Volume 1: The Protocols by W. Richard Stevens and from RFC 959.

Until next time...



Sponsored by: