Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
--- Jonas Meurer <jonas@freesources.org> wrote:
> On 13/09/2004 Mike Mestnik wrote:
> > Yes, unlike HTTP, FTP uses one connection for authentication and
> > commands(user, pass, cd, ls(dir), get, put, pasv, port, ext). The
> other
> > connections cary data(the directory listings and files). Setting up
> these
> > ftp-data connections has been a problem for state-full FWs.
> >
> > > i use proftpd as ftp server, and i read that proftpd uses port L-1
> as
> > > source port, where L is the data port of the server.
> > >
> > This is the old way of doing things, "OUTPUT -p tcp --sport <L-1> -m
> state
> > --state NEW" should work fine.
>
> does this show the port as open in portscans?
>
No, INPUT pkts are handeled by the INPUT chain. Only NEW connections
started by the local host will be effected here.
> > > this would require to open ports 209, 214, 219, 224 and 229 as well,
> > > correct? then the easiest way would be to add them to my iptables
> rules,
> > > am i right?
> >
> > Correct. There is another problem now, pasv FTP. The L-1 thing only
> > worked for active(port) FTP and MANY(all) statefull fire walls will
> have a
> > hard time working with these. This is why there is code to support
> FTP
> > clients, since it *was* ?rare? for commercial FTP clients to use any
> thing
> > other then port based FTP.
> >
> > This will requier you to accept any connection to the
> > ip_local_port_range(/proc/sys/net/ipv4/ip_local_port_range 32768 to
> 61000)
> > with "INPUT -p tcp --dport 32768:61000 -m state --state NEW". You can
> > write to as well as read this file, if you only wish to open lets say
> > 32768 32800.
>
> so but if firehol takes care off the default ftp port, it should
> consider this, and though already open these ports for passive ftp,
> shouldn't it? daniel, can you tell us?
>
Note that these ports may be reported as closed vs filtered by portscans.
> > > what i'm wondering about: does firehol do this for port 20 with it's
> > > complex ftp service?
>
> daniel?
>
> bye
> jonas
>
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail
Reply to: