the log entry you're seeing is probably some box out on the net that's infected with sqlsnake looking for poorly secured ms-sql servers. It has nothing to do with ftp.
-Joe > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Patrick Nelson > Sent: Friday, May 24, 2002 4:59 PM > To: Netfilter List (E-mail) > Subject: RE: State not enough? Solved > > > Patrick Nelson wrote: > ----------------->>>> > Here is the log of the input drop on wget > ftp://ftp.rs.internic.net/domain/named.root: > > May 24 12:52:35 ns kernel: IN=eth1 OUT= MAC=<mac address> SRC=198.41.0.6 > DST=<external nic ip> LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=26231 > DF PROTO=TCP > SPT=20 DPT=1477 WINDOW=32120 RES=0x00 SYN URGP=0 > > Now what's weird is I tried to go to passive ftp with the command > > wget --passive-ftp ftp://ftp.rs.internic.net/domain/named.root > > and it gets almost half the file downloaded the then I get a log entry: > > May 24 12:57:25 ns kernel: IN=eth1 OUT= MAC=<mac address> > DST=<external nic > ip> LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=7106 DF PROTO=TCP > SPT=4054 DPT=1433 > WINDOW=16384 RES=0x00 SYN URGP=0 > > Does this show me anything that I should do? I'm feeling like I don't > understand state very well because I look at the rules above and it seems > that they should allow this to go through. What am I missing? > ----------------->>>> > > Was looking through the script and found that ip_conntrack_ftp > was there but > when I modprobed for it, well it wasn't there. So I copied it > over from the > fw mirror and tried it again and the non-passive mode did work > like a charm. > Working on the passive mode now... > >
