Eric Gaumer wrote:
On Fri, 2004-08-13 at 09:20, Clement wrote:
And I cannot do ftp. All the data mode traffic of FTP are blocked. Apparently the ESTABLISHED,RELATED specification is not followed. The module ipt_state is there and executing the above does not show any error message. I have tried "modprobe ipt_state" before the above to no success. Any idea?You have to use passive FTP for connection tracking to work. If you use
active then the connection tracking module wont be able to follow the
connection.
My firewall is a Powermac running Woody plus shorewall.
[EMAIL PROTECTED]:~$ ftp ftp.wa.au.debian.org
Connected to ftp.wa.au.debian.org.
220 ProFTPD 1.2.9 Server (Informed Technology FTP Server) [poledra.it.net.au]
<snip exceess commentary>
230-
230 Anonymous access granted, restrictions apply.
bin
200 Type set to I
prompt
Interactive mode off.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pas
Passive mode on.
ftp> pas
Passive mode off.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for file list
lrwxrwxrwx 1 ftpadm staff 20 Dec 24 2003 debian -> mirrors/linux/debian
lrwxrwxrwx 1 ftpadm staff 27 Dec 24 2003 debian-non-US -> mirrors/linux/debian-non-US
lrwxrwxrwx 1 ftpadm staff 24 Dec 24 2003 debian-www -> mirrors/linux/debian-www
drwx------ 2 root system 16384 Dec 24 2003 lost+found
-rw-r--r-- 1 ftpadm staff 56004951 Aug 14 02:12 ls-lR
-rw-r--r-- 1 ftpadm staff 7040958 Aug 14 02:12 ls-lR.gz
-rw-r--r-- 1 ftpadm staff 467421 Aug 14 02:14 ls-lR.patch.gz
-rw-r--r-- 1 ftpadm staff 22 Aug 14 02:14 ls-lR.times
drwxr-xr-x 12 ftpadm staff 4096 May 24 05:00 mirrors
drwxr-xr-x 3 ftpadm staff 4096 Feb 27 05:47 pub
-rw-r--r-- 1 ftpadm staff 16 May 5 2003 timezone
drwxr-xr-x 4 root system 4096 Jul 20 08:04 tmp
-rw-r--r-- 1 root system 717 Dec 25 2003 welcome.msg
226 Transfer complete.
ftp>
As you can see, I do not need to use passive ftp. I've always thought that's what connection tracking's for.
Here are my shorewall rules: fw:/etc/shorewall# grep -v ^# rules
ACCEPT coco2 loc all ACCEPT loc coco2 all ACCEPT coco2 $FW all ACCEPT $FW coco2 all ACCEPT $FW net udp 5000,5001 ACCEPT loc net udp 5000,5001 ACCEPT $FW net:203.34.16.107 4 ACCEPT net:203.34.16.107 $FW 4 ACCEPT loc $FW tcp ssh,www,443,smtp,110 ACCEPT net $FW tcp ssh,www,443,smtp
ACCEPT $FW net tcp ssh
ACCEPT loc net tcp 110 ACCEPT loc $FW tcp 110
ACCEPT $FW net tcp www,ftp,smtp,time,110
ACCEPT $FW loc tcp smtp ACCEPT $FW net udp ntp ACCEPT $FW loc tcp 37 ACCEPT $FW loc udp syslog
--
Cheers John
-- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
