Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]

To: Jonas Meurer <jonas@freesources.org>
Cc: Daniel Pittman <daniel@rimspace.net>, debian-firewall@lists.debian.org
Subject: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
From: Mike Mestnik <cheako911@yahoo.com>
Date: Wed, 15 Sep 2004 19:27:35 -0700 (PDT)
Message-id: <[🔎] 20040916022736.98516.qmail@web11907.mail.yahoo.com>
In-reply-to: <[🔎] 20040915212620.GC5029@resivo.mejo.net>

--- Jonas Meurer <jonas@freesources.org> wrote:

> On 13/09/2004 Mike Mestnik wrote:
> > Yes, unlike HTTP, FTP uses one connection for authentication and
> > commands(user, pass, cd, ls(dir), get, put, pasv, port, ext).  The
> other
> > connections cary data(the directory listings and files).  Setting up
> these
> > ftp-data connections has been a problem for state-full FWs.
> > 
> > > i use proftpd as ftp server, and i read that proftpd uses port L-1
> as
> > > source port, where L is the data port of the server.
> > > 
> > This is the old way of doing things, "OUTPUT -p tcp --sport <L-1> -m
> state
> > --state NEW" should work fine.
> 
> does this show the port as open in portscans?
> 
No, INPUT pkts are handeled by the INPUT chain.  Only NEW connections
started by the local host will be effected here.

> > > this would require to open ports 209, 214, 219, 224 and 229 as well,
> > > correct? then the easiest way would be to add them to my iptables
> rules,
> > > am i right?
> > 
> > Correct.  There is another problem now, pasv FTP.  The L-1 thing only
> > worked for active(port) FTP and MANY(all) statefull fire walls will
> have a
> > hard time working with these.  This is why there is code to support
> FTP
> > clients, since it *was* ?rare? for commercial FTP clients to use any
> thing
> > other then port based FTP.
> > 
> > This will requier you to accept any connection to the
> > ip_local_port_range(/proc/sys/net/ipv4/ip_local_port_range 32768 to
> 61000)
> > with "INPUT -p tcp --dport 32768:61000 -m state --state NEW".  You can
> > write to as well as read this file, if you only wish to open lets say
> > 32768 32800.
> 
> so but if firehol takes care off the default ftp port, it should
> consider this, and though already open these ports for passive ftp,
> shouldn't it? daniel, can you tell us?
> 
Note that these ports may be reported as closed vs filtered by portscans.

> > > what i'm wondering about: does firehol do this for port 20 with it's
> > > complex ftp service?
> 
> daniel?
> 
> bye
>  jonas
> 



	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail

Reply to:

References:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Jonas Meurer <jonas@freesources.org>

Prev by Date: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Next by Date: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Previous by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Next by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Index(es):
- Date
- Thread