Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
On 13/09/2004 Mike Mestnik wrote:
> Yes, unlike HTTP, FTP uses one connection for authentication and
> commands(user, pass, cd, ls(dir), get, put, pasv, port, ext). The other
> connections cary data(the directory listings and files). Setting up these
> ftp-data connections has been a problem for state-full FWs.
>
> > i use proftpd as ftp server, and i read that proftpd uses port L-1 as
> > source port, where L is the data port of the server.
> >
> This is the old way of doing things, "OUTPUT -p tcp --sport <L-1> -m state
> --state NEW" should work fine.
does this show the port as open in portscans?
> > this would require to open ports 209, 214, 219, 224 and 229 as well,
> > correct? then the easiest way would be to add them to my iptables rules,
> > am i right?
>
> Correct. There is another problem now, pasv FTP. The L-1 thing only
> worked for active(port) FTP and MANY(all) statefull fire walls will have a
> hard time working with these. This is why there is code to support FTP
> clients, since it *was* ?rare? for commercial FTP clients to use any thing
> other then port based FTP.
>
> This will requier you to accept any connection to the
> ip_local_port_range(/proc/sys/net/ipv4/ip_local_port_range 32768 to 61000)
> with "INPUT -p tcp --dport 32768:61000 -m state --state NEW". You can
> write to as well as read this file, if you only wish to open lets say
> 32768 32800.
so but if firehol takes care off the default ftp port, it should
consider this, and though already open these ports for passive ftp,
shouldn't it? daniel, can you tell us?
> > what i'm wondering about: does firehol do this for port 20 with it's
> > complex ftp service?
daniel?
bye
jonas
Reply to: