On Wed, Sep 13, 2000 at 10:40:06AM +0200, Sebastian Heckrodt wrote:
> I'm green to ipchains and the protocols, but I think the following lines
> (which I have in my Firewall config.) should allow active and passive ftp:
1) > "-A output -s [$myIP] 1024: --dport 21 -p tcp -i eth0 -j ACCEPT"
2) > "-A input --sport 21 -d [$myIP] 1024: -p tcp -i eth0 -j ACCEPT ! -y"
3) > "-A output -s [$myIP] 1024: --dport 20 -p tcp -i eth0 -j ACCEPT ! -y"
4) > "-A input --sport 20 -d [$myIP] 1024: -p tcp -i eth0 -j ACCEPT"
I thing this will only allow active FTP
example:
Active:
a) Client 1024: connects to server ftp:ftp --> rule 1
b) Server ftp:ftp communicates (dends data back) with Client 1024: --> rule 2
(no connections can be initiated from server, seems ok)
c) Server opens ftp-data to Client 1024: --> rule 4
Passive:
a+b like above
c) Server waits on 1024: for Data connection from client 1024:
blocked by FW
--> add something like
-A output -s [$myIP] 1024: -p tcp -i eth0 -j ACCEPT
-A input -d [$myIP] 1024: -p tcp -i eth0 -j ACCEPT ! -y
Your fault is that passive connections are not made to
port 20 (ftp-data) but are made to the range 1024:
But I am still wondering. Does apt use passive mode by default?
I never used it.
Bernhard
--
__ ___
// ) ___--"" "-.
\ |,"( /`--"" `. Bernhard Rieder & 13
\/ o \
( _.-. ,'" ; [EMAIL PROTECTED]
|\" /`. \ , / |
| \ ' .'`.; | | \.______________________________
_-'.' | |--..,,,\_ \________------------""""""""""""
'''" _-'.' ___"- )
'''" '''---~""
