Mailinglist Archive: opensuse (868 mails)

< Previous Next >
Re: [opensuse] What is the currently recommented firwall settings recommended for FTP?
On 2011-04-30 21:23, Carlos E. R. wrote:
On 2011-04-30 09:06, Per Jessen wrote:
Carlos E. R. wrote:

When this has occasionally happened to me, it has always been because
the nf_conntrack_ftp module wasn't loaded.

I forgot that one. I'll try and report back.

No... it doesn't work.

I have now "nf_conntrack_ftp" loaded on both sides, doesn't work, neither
passive neither extended passive. The data connection ports are blocked by
both firewalls.

FW_LOAD_MODULES="nf_conntrack_netbios_ns nf_conntrack_ftp"


Perhaps the firewall has to be told on what connections to apply that
module. Ah, yes, I need "FW_SERVICES_ACCEPT_RELATED_EXT".

Let me see, trying:

FW_SERVICES_ACCEPT_RELATED_EXT="192.168.1.0/24,tcp,ftp"

No, doesn't work either. AH, it needs this:

FW_SERVICES_ACCEPT_RELATED_EXT="192.168.1.0/24,tcp,ftp
192.168.1.0/24,tcp,ftp-data"

Both ports, both sides. Now it is working for me in passive mode, but not
in extended passive mode. It worked for an instant in both, then broke again.


Perhaps the syntax is wrong. The comment says:

## Type: string
## Default:
#
# Services to allow that are considered RELATED by the connection tracking
# engine.
#
# Format: space separated list of net,protocol[,sport[,dport]]
#
# Example:
# Allow samba broadcast replies marked as related by
# nf_conntrack_netbios_ns from a certain network:
# "192.168.1.0/24,udp,137"
#

What is sport,dport? There is no example there for ftp :-(

I tried:

FW_SERVICES_ACCEPT_RELATED_EXT="192.168.1.0/24,tcp,ftp,ftp-data"

but it does not work in any mode.



In short, I have now, on both sides:

FW_SERVICES_ACCEPT_RELATED_EXT="192.168.1.0/24,tcp,ftp \
192.168.1.0/24,tcp,ftp-data"

FW_LOAD_MODULES="nf_conntrack_netbios_ns nf_conntrack_ftp"


And it only works in (plain) passive mode.



Caveat: if I try 2 minutes later, it doesn't work:

226 File send OK.
174 bytes received in 00:00 (8.26 KB/s)
ftp> dir
ftp: No control connection for command.
ftp> dir
Not connected.
ftp>

Something has a too short memory. Could be the ftp server, could be the
firewall. But I think it is a server timeout.


--
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 "Emerald" at Telcontar)

< Previous Next >
List Navigation