Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
On 16 Sep 2004, Jonas Meurer wrote:
> On 13/09/2004 Mike Mestnik wrote:
>> Yes, unlike HTTP, FTP uses one connection for authentication and
>> commands(user, pass, cd, ls(dir), get, put, pasv, port, ext). The other
>> connections cary data(the directory listings and files). Setting up these
>> ftp-data connections has been a problem for state-full FWs.
>>
>>> i use proftpd as ftp server, and i read that proftpd uses port L-1 as
>>> source port, where L is the data port of the server.
>>>
>> This is the old way of doing things, "OUTPUT -p tcp --sport <L-1> -m state
>> --state NEW" should work fine.
>
> does this show the port as open in portscans?
No, since it is an output rule. Port scanning only concerns INPUT and
FORWARD rules, since it requires a packet coming in.
>>> this would require to open ports 209, 214, 219, 224 and 229 as well,
>>> correct? then the easiest way would be to add them to my iptables rules,
>>> am i right?
>>
>> Correct. There is another problem now, pasv FTP. The L-1 thing only
>> worked for active(port) FTP and MANY(all) statefull fire walls will have a
>> hard time working with these. This is why there is code to support FTP
>> clients, since it *was* ?rare? for commercial FTP clients to use any thing
>> other then port based FTP.
>>
>> This will requier you to accept any connection to the
>> ip_local_port_range(/proc/sys/net/ipv4/ip_local_port_range 32768 to 61000)
>> with "INPUT -p tcp --dport 32768:61000 -m state --state NEW". You can
>> write to as well as read this file, if you only wish to open lets say
>> 32768 32800.
>
> so but if firehol takes care off the default ftp port, it should
> consider this, and though already open these ports for passive ftp,
> shouldn't it? daniel, can you tell us?
Firehol does read the ip_local_port_range sysctl and use that for rules
on the INPUT/OUTPUT chains. It allows almost anything for rules on the
FORWARD chain since it cannot assume anything about the machines it is
acting as an IP forwarder for.
>>> what i'm wondering about: does firehol do this for port 20 with it's
>>> complex ftp service?
>
> daniel?
You can see what it sets up in the file /etc/firehol/firehol, line 878.
A quick check says that it does take into account both active and
passive FTP, and does use the default local port range.
Daniel
--
There are no poisonous substances, only incorrect doses.
-- Paracelsus
Reply to: