Re: ipmasq and ftp
----- Original Message -----
From: "Bob Nielsen" <firstname.lastname@example.org>
To: "debian users" <email@example.com>
Sent: Monday, October 28, 2002 9:57 PM
Subject: Re: ipmasq and ftp
> I had this problem with a 2.4 kernel and iptables. Normal FTP uses a
> separate connection for data, although if you use passive mode, it will
> work over the main connection. If I use a 2.2 kernel with ipchains,
> the ip_masq_ftp module, which takes care of the data connection, will
> be installed and there are no problems.
> I find the documentation on setting up iptables to be somewhat
> confusing, but I figure I just haven't spent enough time on it yet.
> I have a different problem now however. I configured port forwarding,
> but if a client outside my lan tries to ftp from my server, it only
> works if passive mode is NOT used.
i'm pretty new to iptables too. Problem with linux is that there is so much
stuff to learn and when you want to get a system up and running, it's not
always clear to what one has to do.
I finally got it to work by removing the ipmasq package and installing
shorewall instead. My server used to be a SuSE7?2 system with the
SuSEfirewall 2 script on it. Quite easy to install but no match for the
debian apt-get and shorewall combo. Try it. It took me 30 minutes
to install, going through a sample config. My ftp connection worked
immediately as did the rest.
SSH didn't work but a simple "ACCEPT loc fw tcp ssh" entry in the
/etc/shorewall/rules file solved that. Wow, very impressive.
Only problem i still have is that when i log on to the system say
on ttys1 for instance, that i get log messages of unauthorized access.
The shorewall faq said this on it:
"16. Shorewall is writing log messages all over my console making it
Answer: "man dmesg" -- add a suitable 'dmesg' command to your startup
scripts or place it in /etc/shorewall/start. Under RedHat, the max log level
that is sent to the console is specified in /etc/sysconfig/init in the
But i don't know how to do this.
I think adding dmesg -n 1 to the /etc/init.d/shorewall script would
solve that but i'm not sure.
Another thing i noticed is that there is a K99shorewall and a S99shorewall
link in /etc/rc2.d
No other programs seems to have both a kill and start service link in here.