Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]

To: debian-firewall@lists.debian.org
Subject: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
From: Jonas Meurer <jonas@freesources.org>
Date: Sun, 12 Sep 2004 19:36:51 +0200
Message-id: <[🔎] 20040912173650.GE9910@resivo.mejo.net>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 20040912171059.58751.qmail@web11901.mail.yahoo.com>
References: <[🔎] 20040912154217.GA9910@resivo.mejo.net> <[🔎] 20040912171059.58751.qmail@web11901.mail.yahoo.com>

On 12/09/2004 Mike Mestnik wrote:
> What I mean is that, even thought your not using NAT, source baced FTP is
> supported.  This means only your fierwall will be able tobe the client.  I
> know this seams backwards, but look at it from a network admin POV and not
> from a system admin's.
> 
> I don't think NF will open ports for an FTP server, thought it's vary hard
> to see that some code is not there.  Normaly(for a client) a port cmd
> would mean that I'd be looking to receve a connection on that port, so NF
> opens an incomming port.  This will not WORK if your the server and you
> need an outgoing one!
> 
> To fix this you will NEED to know how your FTP server works internaly. 
> Some FTP servers will use port 20 as a source port, this has been
> depreceated thought.  For others there is a file in proc that says what
> unbound ports will be set too, for the source port on outgoing and the
> dest port on incoming.  You then need to let all --state NEW pkts from
> these ports, this will let active(port) FTP work.  You can just let all
> NEW pkts get ACCEPTed in OUTPUT.  Next you will *need to, for pasv FTP,
> let all of these default unbound ports INto your firewall.
> 
> * This(pasv) is needed for many stateless FW!!

so what you mean, is that ftp uses another port for data and other connections?
i use proftpd as ftp server, and i read that proftpd uses port L-1 as
source port, where L is the data port of the server.

this would require to open ports 209, 214, 219, 224 and 229 as well,
correct? then the easiest way would be to add them to my iptables rules,
am i right?

what i'm wondering about: does firehol do this for port 20 with it's
complex ftp service?

also i have to tell you that it works quite well currently, so why does
it do so, if the source port isn't open? or does this only behave for
clients sitting behind a firewall?

i didn't get what you wanted to say about passive ftp, i thought that it
doesn't require the source port, but uses only the default data port.

bye
 jonas

Reply to:

Follow-Ups:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Mike Mestnik <cheako911@yahoo.com>

References:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Jonas Meurer <jonas@freesources.org>
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Mike Mestnik <cheako911@yahoo.com>

Prev by Date: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Next by Date: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Previous by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Next by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Index(es):
- Date
- Thread