I had to rebuild the company ftp server since the power supply in the old box failed and made the motherboard unreliable: I couldn't seem to reinstall linux on it without many disk errors. Eventually we bought a new ftp box and I put the server version of ubuntu 7.10 on it.
This ftp box is used to exchange files with clients and so is set up with two network cards and firewalled such that folk could only ftp into it and not do anything else. I tried to do some simplistic firewalling using iptables directly but it proved unreliable: sometimes there were mysterious long delays when trying to connect to the ftp server.
I decided to try using Shorewall to implement a proper firewall. This is essentially a set of macros that convert a set of rules from text files into a load of iptables definitions. I installed it with
sudo aptitude install shorewall
copied the two interface card example files from /usr/share/doc/shorewall/examples/two-interfaces to /etc/shorewall, tweeked a couple of lines in the 'rules' file and was away. It was surprisingly easy and it is easy enough to allow access to new servers on the box. For example, allowing everyone to access the ftp server was as simple as:
FTP/ACCEPT net $FW FTP/ACCEPT loc $FW
where 'net' means 'anyone on the internet', 'loc' means 'anyone on the intranet' and $FW means 'let them into the firewall'.
Shorewall works by programming up 240 lines worth of clever iptables rules. These rules contain things to prevent attacks by smurfs, martians etc. After doing this, connecting to the ftp server was incredibly fast, it seemed to be up before I'd let got of the mouse button, even using Internet Explorer (as most non techies do). I always thought that IE was just poor at ftp but it seems that not enough people are firewalling their ftp sites nicely.
Peter's Moblog
