[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables not so stateful

Eric Gaumer wrote:


On Fri, 2004-08-13 at 09:20, Clement wrote:
And I cannot do ftp. All the data mode traffic of FTP are blocked. Apparently the ESTABLISHED,RELATED specification is not followed. The module ipt_state is there and executing the above does not show any error message. I have tried "modprobe ipt_state" before the above to no success. Any idea? 


You have to use passive FTP for connection tracking to work. If you use
active then the connection tracking module wont be able to follow the
connection.


My firewall is a Powermac running Woody plus shorewall.

summer@Dolphin:~$ ftp ftp.wa.au.debian.org
Connected to ftp.wa.au.debian.org.
220 ProFTPD 1.2.9 Server (Informed Technology FTP Server) [poledra.it.net.au] 
<snip exceess commentary>
230-
230 Anonymous access granted, restrictions apply.
bin
200 Type set to I
prompt
Interactive mode off.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pas
Passive mode on.
ftp> pas
Passive mode off.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for file list
lrwxrwxrwx 1 ftpadm staff 20 Dec 24 2003 debian -> mirrors/linux/debian lrwxrwxrwx 1 ftpadm staff 27 Dec 24 2003 debian-non-US -> mirrors/linux/debian-non-US lrwxrwxrwx 1 ftpadm staff 24 Dec 24 2003 debian-www -> mirrors/linux/debian-www 
drwx------   2 root     system      16384 Dec 24  2003 lost+found
-rw-r--r--   1 ftpadm   staff    56004951 Aug 14 02:12 ls-lR
-rw-r--r--   1 ftpadm   staff     7040958 Aug 14 02:12 ls-lR.gz
-rw-r--r--   1 ftpadm   staff      467421 Aug 14 02:14 ls-lR.patch.gz
-rw-r--r--   1 ftpadm   staff          22 Aug 14 02:14 ls-lR.times
drwxr-xr-x  12 ftpadm   staff        4096 May 24 05:00 mirrors
drwxr-xr-x   3 ftpadm   staff        4096 Feb 27 05:47 pub
-rw-r--r--   1 ftpadm   staff          16 May  5  2003 timezone
drwxr-xr-x   4 root     system       4096 Jul 20 08:04 tmp
-rw-r--r--   1 root     system        717 Dec 25  2003 welcome.msg
226 Transfer complete.
ftp>
As you can see, I do not need to use passive ftp. I've always thought that's what connection tracking's for. 

Here are my shorewall rules:
fw:/etc/shorewall# grep -v ^# rules

ACCEPT          coco2   loc             all
ACCEPT          loc     coco2           all
ACCEPT          coco2   $FW             all
ACCEPT          $FW     coco2           all
ACCEPT          $FW     net             udp     5000,5001
ACCEPT          loc     net             udp     5000,5001
ACCEPT          $FW     net:203.34.16.107  4
ACCEPT          net:203.34.16.107 $FW 4
ACCEPT          loc       $FW           tcp     ssh,www,443,smtp,110
ACCEPT          net       $FW           tcp     ssh,www,443,smtp

ACCEPT          $FW     net             tcp     ssh

ACCEPT          loc      net            tcp     110
ACCEPT          loc     $FW             tcp     110


ACCEPT          $FW       net           tcp     www,ftp,smtp,time,110

ACCEPT          $FW       loc           tcp     smtp
ACCEPT          $FW       net           udp     ntp
ACCEPT          $FW       loc           tcp     37
ACCEPT          $FW       loc           udp     syslog



--

Cheers
John

-- spambait
1aaaaaaa@computerdatasafe.com.au  Z1aaaaaaa@computerdatasafe.com.au
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
Reply to: