Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
--- Jonas Meurer <jonas@freesources.org> wrote:
> On 12/09/2004 Mike Mestnik wrote:
> > What I mean is that, even thought your not using NAT, source baced FTP
> is
> > supported. This means only your fierwall will be able tobe the
> client. I
> > know this seams backwards, but look at it from a network admin POV and
> not
> > from a system admin's.
> >
> > I don't think NF will open ports for an FTP server, thought it's vary
> hard
> > to see that some code is not there. Normaly(for a client) a port cmd
> > would mean that I'd be looking to receve a connection on that port, so
> NF
> > opens an incomming port. This will not WORK if your the server and
> you
> > need an outgoing one!
> >
> > To fix this you will NEED to know how your FTP server works internaly.
>
> > Some FTP servers will use port 20 as a source port, this has been
> > depreceated thought. For others there is a file in proc that says
> what
> > unbound ports will be set too, for the source port on outgoing and the
> > dest port on incoming. You then need to let all --state NEW pkts from
> > these ports, this will let active(port) FTP work. You can just let
> all
> > NEW pkts get ACCEPTed in OUTPUT. Next you will *need to, for pasv
> FTP,
> > let all of these default unbound ports INto your firewall.
> >
> > * This(pasv) is needed for many stateless FW!!
>
> so what you mean, is that ftp uses another port for data and other
> connections?
Yes, unlike HTTP, FTP uses one connection for authentication and
commands(user, pass, cd, ls(dir), get, put, pasv, port, ext). The other
connections cary data(the directory listings and files). Setting up these
ftp-data connections has been a problem for state-full FWs.
> i use proftpd as ftp server, and i read that proftpd uses port L-1 as
> source port, where L is the data port of the server.
>
This is the old way of doing things, "OUTPUT -p tcp --sport <L-1> -m state
--state NEW" should work fine.
> this would require to open ports 209, 214, 219, 224 and 229 as well,
> correct? then the easiest way would be to add them to my iptables rules,
> am i right?
>
Correct. There is another problem now, pasv FTP. The L-1 thing only
worked for active(port) FTP and MANY(all) statefull fire walls will have a
hard time working with these. This is why there is code to support FTP
clients, since it *was* ?rare? for commercial FTP clients to use any thing
other then port based FTP.
This will requier you to accept any connection to the
ip_local_port_range(/proc/sys/net/ipv4/ip_local_port_range 32768 to 61000)
with "INPUT -p tcp --dport 32768:61000 -m state --state NEW". You can
write to as well as read this file, if you only wish to open lets say
32768 32800.
> what i'm wondering about: does firehol do this for port 20 with it's
> complex ftp service?
>
I'm not sure, for FTP to work one of pasv or port must work.
> also i have to tell you that it works quite well currently, so why does
> it do so, if the source port isn't open? or does this only behave for
> clients sitting behind a firewall?
>
Use tcpdump or netstat to see what's going on.
> i didn't get what you wanted to say about passive ftp, i thought that it
> doesn't require the source port, but uses only the default data port.
>
pasv FTP uses outgoig(from the client) connections to the server. If the
server has ALL it's ports blocked this won't work.
> bye
> jonas
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail
Reply to: