On Tue, 2004-08-17 at 08:06, John L Fjellstad wrote: > Eric Gaumer <gaumerel@titan.ecs.fullerton.edu> writes: > Check out the iptables documentation page. > "RELATED > > A packet which is related to, but not part of, an existing > connection, such as an ICMP error, or (with the FTP module > inserted), a packet establishing an ftp data connection." > > This is in connection with the state option for iptables. Active ftp > works with connection tracking, and I've tried it. > > > That's one of the main reasons passive exists. If the server > > picks a port at random, then there is no way the client can anticipate > > what port to open. > > passive exists because of some firewall (like the older ipchains) didn't > have connection tracking. This doesn't work with NAT. Active FTP breaks. Am I missing something? The remote FTP server... [root@host root]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination The local firewall doing NAT... (Anything with a handstamp can get in) All outbound traffic is allowed... iptables -A FORWARD -i $IFACE -o $TRUSTED_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT Now an active FTP connection from an internal node with IP 10.0.0.5... gaumer@debiantosh:(~)$ ftp host.domain.net Connected to host.domain.net. 220 ProFTPD 1.2.8 Server (XXXX FTP SERVER) [host.domain.net] Name (host.domain.net:gaumer): jester 331 Password required for jester. Password: 230 User jester logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful And the connection is lost. This can be seen with snort. Now we use passive... gaumer@debiantosh:(~)$ ftp host.domain.net Connected to host.domain.net. 220 ProFTPD 1.2.8 Server (XXXX FTP SERVER) [host.domain.net] Name (host.domain.net:gaumer): jester 331 Password required for jester. Password: 230 User jester logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> passive Passive mode on. ftp> ls 227 Entering Passive Mode (216,158,145,2,146,57). 150 Opening ASCII mode data connection for file list drwx------ 17 jester jester 4096 Jul 28 15:05 . drwx------ 17 jester jester 4096 Jul 28 15:05 .. -rw------- 1 jester jester 70 May 28 16:21 .Xauthority etc... So there's a server with the firewall down. An iptables gateway that filters on the FORWARD chain and allows anything generated locally back in. Uses ftp connection tracking module yet no internal nodes can function properly using active FTP. Again, am I missing something here? Active FTP does not work. > > -- > John L. Fjellstad > web: http://www.fjellstad.org/ Quis custodiet ipsos custodes
Attachment:
signature.asc
Description: This is a digitally signed message part