[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Problem with Firewall and FTP

On Wed, Sep 13, 2000 at 10:40:06AM +0200, Sebastian Heckrodt wrote:
> I'm green to ipchains and the protocols, but I think the following lines
> (which I have in my Firewall config.) should allow active and passive ftp:

1) > "-A output -s [$myIP] 1024: --dport 21 -p tcp -i eth0 -j ACCEPT"
2) > "-A input --sport 21 -d [$myIP] 1024: -p tcp -i eth0 -j ACCEPT ! -y"
3) > "-A output -s [$myIP] 1024: --dport 20 -p tcp -i eth0 -j ACCEPT ! -y"
4) > "-A input --sport 20 -d [$myIP] 1024: -p tcp -i eth0 -j ACCEPT"

I thing this will only allow active FTP

example:
Active:
  a) Client 1024: connects to server ftp:ftp   --> rule 1
  b) Server ftp:ftp communicates (dends data back) with Client 1024:  --> rule 2
      (no connections can be initiated from server, seems ok)
  c) Server opens ftp-data to Client 1024:  --> rule 4

Passive:
  a+b like above
  c) Server waits on 1024: for Data connection from client 1024:
      blocked by FW
    --> add something like
      -A output -s [$myIP] 1024: -p tcp -i eth0 -j ACCEPT
      -A input  -d [$myIP] 1024: -p tcp -i eth0 -j ACCEPT ! -y    

Your fault is that passive connections are not made to
port 20 (ftp-data) but are made to the range 1024:

But I am still wondering. Does apt use passive mode by default?
I never used it.

Bernhard

-- 
       __             ___
      // )    ___--""    "-.
 \ |,"( /`--""              `.          Bernhard Rieder & 13
  \/ o                        \
  (   _.-.              ,'"    ;        bernhard@ratte.dhs.org
   |\"   /`. \  ,      /       |
   | \  ' .'`.; |      |       \.______________________________
     _-'.'    | |--..,,,\_    \________------------""""""""""""
    '''"   _-'.'       ___"-   )
          '''"        '''---~""
Reply to: