FTP, ICMP e t c.
Thanks to everyone for the help on DNS lately.
Now, some problem persist.
FTP:
I alow FTP in thru the fw to one machine. Then I allow related packadges
thru. It works, but not if the outside client use passive mode ftp !?!.
Relevant iptables lines:
iptables -A FORWARD $v -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD $v -i $INTER -o $INTRA -p tcp --destination-port ftp -d ftp.mydomain.se -j ACCEPT
>From the inside everything is accepted.
What need to be done to accept passive ftp?
ICMP:
Some outside site hade strange problems. I did open ICMP type 3 acording
to an erlier mail on this list. Seems to help a bit. To debug the FTP
problem abow I for a while have all ICMP protokol open. What is type 3
(iptables gives a listing with names, but no names to number translation).
What more of ICMP is nesecary to let thru, what part of ICMP (exept ping)
is known to be abused? (Still looking for that cookbook like text ;-)
This opening of ICMP had another reson. On the local network ther is a
modempool whit dialback for remote access to the network. People dialing
can access the lokal net but not the internet. Before the firewall they
could access internet. I can't realy think of anything making thes
dailinuser different then other clients on the local net, but still the
fw treats them different. As erlier said, *everything* from the inside is
suposed to get thru, and related packages back. Do anyone have any ide?
Related misses??
Webbrowsing from inside the fw to the outside do generaly work well. But
sometimes, for some users, one page dont load or load slovly, Att the
same time the fw log blocked calls from that website, port 80 to that
client. It seams like the related feature of iptables miss som
conektions from time to time. Have anyone else seen somthing equal?
Reply to: