[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]

--- Jonas Meurer <jonas@freesources.org> wrote:

> On 12/09/2004 Mike Mestnik wrote:
> > > sorry, but why do i need to firewall a client. i'm talking about my
> ftp
> > > server, and this one has installed a firewall. i don't get the
> point.
> > 
> > I'm not sure, but I'm farily certin ONLY client's will be properly
> > handeled with the current code.  It dosen't really matter that you
> want
> > server IF I'm right and only clients are supported.
> 
> you mean, that currently only connections from ftp clients are allowed
> on my individual ftp ports? but why should an ftpserver connect to
> another ftpserver? if it would, it would use an ftp client, correct?
> 
What I mean is that, even thought your not using NAT, source baced FTP is
supported.  This means only your fierwall will be able tobe the client.  I
know this seams backwards, but look at it from a network admin POV and not
from a system admin's.

I don't think NF will open ports for an FTP server, thought it's vary hard
to see that some code is not there.  Normaly(for a client) a port cmd
would mean that I'd be looking to receve a connection on that port, so NF
opens an incomming port.  This will not WORK if your the server and you
need an outgoing one!

To fix this you will NEED to know how your FTP server works internaly. 
Some FTP servers will use port 20 as a source port, this has been
depreceated thought.  For others there is a file in proc that says what
unbound ports will be set too, for the source port on outgoing and the
dest port on incoming.  You then need to let all --state NEW pkts from
these ports, this will let active(port) FTP work.  You can just let all
NEW pkts get ACCEPTed in OUTPUT.  Next you will *need to, for pasv FTP,
let all of these default unbound ports INto your firewall.

* This(pasv) is needed for many stateless FW!!

> or do you mean, if my local ftp clients connect on those ports to remote
> ftp servers, the data is dropped?
> 
> i don't get your point.
> 
> > I guess the question is, are the port being open correctly for pasv
> and
> > port based connections on your servers?
> 
> the machine where i try to configure the firewall is my server. so the
> question is whether the configuration i use, and pasted often here,
> opens the ports for ftp connections (active and passive), or whether
> it doesn't.
> 
This is not documented AFAIK as I'v been asking for these kinds of docs
for a long time.  So YMMV.  From looking at the code I say you have to do
it as thought there where no FTP helper mod.  Also keep in mind that
MANY(read as all) nat setups will only be able to use pasv FTP to your
non-21 FTP servers.

> bye
>  jonas
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
Reply to: