[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

FTP, ICMP e t c.

Thanks to everyone for the help on DNS lately.

Now, some problem persist.


I alow FTP in thru the fw to one machine. Then I allow related packadges 
thru. It works, but not if the outside client use passive mode ftp !?!.

Relevant iptables lines:

iptables -A FORWARD $v -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD $v -i $INTER -o $INTRA -p tcp --destination-port ftp -d ftp.mydomain.se -j ACCEPT

>From the inside everything is accepted.

What need to be done to accept passive ftp?


Some outside site hade strange problems. I did open ICMP type 3 acording 
to an erlier mail on this list. Seems to help a bit. To debug the FTP 
problem abow I for a while have all ICMP protokol open. What is type 3
(iptables gives a listing with names, but no names to number translation).

What more of ICMP is nesecary to let thru, what part of ICMP (exept ping) 
is known to be abused? (Still looking for that cookbook like text ;-)

This opening of ICMP had another reson. On the local network ther is a 
modempool whit dialback for remote access to the network. People dialing 
can access the lokal net but not the internet. Before the firewall they 
could access internet. I can't realy think of anything making thes 
dailinuser different then other clients on the local net, but still the
fw treats them different. As erlier said, *everything* from the inside is 
suposed to get thru, and related packages back. Do anyone have any ide?

Related misses??

Webbrowsing from inside the fw to the outside do generaly work well. But 
sometimes, for some users, one page dont load or load slovly, Att the 
same time the fw log blocked calls from that website, port 80 to that 
client. It seams like the related feature of iptables miss som 
conektions from time to time. Have anyone else seen somthing equal?

Reply to: