Re: open ports with firehol
On Thu, 6 May 2004, Jonas Meurer wrote:
> On 29/04/2004 Daniel Pittman wrote:
>> > Dose not connection tracking take care of both active and passive
>> > FTP? These both should fall under state RELATED not state NEW.
>>
>> The firehol script treats it as a complex service, because there are
>> connections going both ways. If you look at the relevant function in
>> /lib/firehol/firehol (line 869) you will see what firehol does to set
>> it up.
>
> mh, now with
> server_myftp_ports="tcp/211:215"
> client_myftp_ports="default"
>
> i get after logging in with 'lftp -p 211 user@www.kidns.de' from a
> remote machine and trying to list the content with 'ls':
> `ls' at 0 [Connecting...]
> `ls' at 0 [Sending commands...]
> `ls' at 0 [Waiting for response..]
> `ls' at 0 [Making data connection...]
> and there it starts idling for infinity. so it seems like no data is
> delivered to my remote machine. any suggestions why that could be?
> from the firewall/ftp machine itself it works well, so no problem with
> the ftp-server.
>
> it's quite important to have these 5 ports open, so if you have no
> suggestions to fix the above, how do the iptables commands look like
> to open these 5 ports for ftp connection?
Hrm. IIRC, you needed that to be active FTP, right?
To enable access to those ports, add the following to your firehol
script:
iptables -A INPUT -i <your ethernet i/f> -p tcp \
-d <your server IP> --dport 211:215 \
-j ACCEPT
iptables -A OUTPUT -o <your ethernet i/f> -p tcp \
-s <your server IP> --sport 211:215 \
-j ACCEPT
Also, you may have better luck jumping on the firehol user list and
asking there; the author may have better advice for you.
Daniel
--
All that I have written appears to me as so much straw after
the things that have been revealed to me.
-- St. Thomas Aquinas
Reply to: