Re: ftp table

To: debian-firewall@lists.debian.org
Subject: Re: ftp table
From: Ansgar Wiechers <lists@planetcobalt.net>
Date: Wed, 2 Jul 2008 14:12:48 +0200
Message-id: <[🔎] 20080702121248.GA29009@mail.planetcobalt.net>
In-reply-to: <[🔎] 551671.50520.qm@web28211.mail.ukl.yahoo.com>
References: <[🔎] 551671.50520.qm@web28211.mail.ukl.yahoo.com>

On 2008-07-02 Sathyainkara Balendra wrote:
> Thanks for ur helpful answers.
> I am using following settings now and it works:
> #FTP-TABLE
> *filter
> 
> : INPUT DROP [0:0]
> : FORWARD DROP [0:0]
> : OUTPUT DROP [0:0]
> 
> 
> -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> 
> -A INPUT -p tcp -s 212.74.114.60 --sport 20:21 -m state --state NEW \
>     -j ACCEPT

This rule allows arbitrary inbound connections from 212.74.114.60:20 and
212.74.114.60:21 to any port on your host. Don't do that. If connections
don't work without that line, check if you have FTP connection tracking
support enabled in your kernel (and if the module is loaded in case it's
compiled as a module).

> -A OUTPUT -p tcp -d 212.74.114.60 --dport 20:21 -m state --state NEW \
>     -j ACCEPT

Please make sure connection tracking is enabled and working, and allow
only port 21/tcp as destination port for new (FTP) connections.

If you still can't connect after connection tracking is enabled, try
sniffing the traffic with a protocol analyzer (e.g. Wireshark or
tcpdump),

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Reply to:

References:
- ftp table
  - From: Sathyainkara Balendra <sathyainkara.balendra@yahoo.co.uk>

Prev by Date: Re: ftp table
Next by Date: Re: ftp table
Previous by thread: Re: ftp table
Next by thread: Re: ftp table
Index(es):
- Date
- Thread