RE: FTP Through Firewall

Tanner, Robby Tue, 20 Feb 2001 07:40:37 -0800
Why is there no MASQing involved?
I'm not a 100% on those rules.  Please verify my descriptions below...

> -----Original Message-----
> From: Mikkel L. Ellertson [mailto:[EMAIL PROTECTED]]
> Sent: Monday, February 19, 2001 7:07 PM
> To: '[EMAIL PROTECTED]'
> Subject: Re: FTP Through Firewall
> 
> 
> On Mon, 19 Feb 2001, Tanner, Robby wrote:
> 
> >     I am using IPCHAINS and IPMASQ to provide internet access to our
> > LAN.  I am sure you've all seen THIS before.  The windows 
> FTP clients are
> > having a difficult time retrieving the folder listing.  I have the
> > ip_masq_ftp loaded but I am still getting the following log 
> messages:
> >
> [snip]
> >
> > My understanding so far is that the FTP server is trying to 
> create an
> > inbound connection to my LAN address which it should not be 
> requesting.
> > Clearly, the MASQing is not taking place, although it 
> should be as far as I
> > can tell.  The 204.112.*.* is my LAN address.
> >
> > How can I get FTP through my firewall?  Is the client 
> simply misconfigured?
> > I am using WS_FTP LE.
> >
> > Regards,
> > Rob
> >
> A good starting point would "modprobe ip_masq_ftp".  Then you may want
> to make sure you have firewall rules like this:
> 
> IPADDR = <internet address of your firewall>
> EXTERNAL_INTERFACE = <interface connected to the internet 
> eth0, eth1, or
> ppp0>
> UNPRIVPORTS = "1024:65535"
> 
>     # FTP client (21)
>     # ---------------
> 
>     # outgoing request
>     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
>              -s $IPADDR $UNPRIVPORTS \
>              --destination-port 21 -j ACCEPT
> 

Why would I include an output rule?  My default is to ACCEPT, should I
change that?


>     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
>              --source-port 21 \
>              -d $IPADDR $UNPRIVPORTS -j ACCEPT

I accept packets on my internet card that are not connection requests and
are coming from port 21 bound for my internet card anywhere in the range
1024:65535 (right?). 



>     # PORT mode data channel
>     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
>              --source-port 20 \
>              -d $IPADDR $UNPRIVPORTS -j ACCEPT

Accept tcp packets (even connection requests?) to my internet card, from any
server:port 20 that are bound for my internet address anywhere in the port
range 1024:65535.
 
>     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
>              -s $IPADDR $UNPRIVPORTS \
>              --destination-port 20 -j ACCEPT

Send packets out the internet card, that are not connection requests from my
internet address (1024:65535) bound for port 20.  

> Mikkel
> -- 
> 
>     Do not meddle in the affairs of dragons,
>  for you are crunchy and taste good with ketchup.
> 
> 
> 
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
> 



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
RE: FTP Through Firewall

Reply via email to
