Hello, my firewall is currently set up to do ip-masquerading only and everthing works fine but ftp. I can conect to an remote host but every ftp-command leeds to an error: illegal protocol What do have to do to get rid of this? Mit freundlichen Grüssen Thom -- Success is like a fart - only your own smells nice. -- James P. Hogan ------------------------------------------------------------------- bye bye (c) by Thom | Thorsten Marquardt | EMail: THOM@kaupp.chemie.uni-oldenburg.de | Member of the pzt project. | http://www.pzt.de -------------------------------------------------------------------
On Fri, 14 Jan 2000, Thorsten Marquardt wrote:
Hello, my firewall is currently set up to do ip-masquerading only and everthing works fine but ftp. I can conect to an remote host but every ftp-command leeds to an error: illegal protocol
What do have to do to get rid of this?
root # insmod ip_masq_ftp should do the trick. The ftp mod has to be loaded for ftp to work on masq'ed boxes. [Note: Used on an ipfwadm box (2.0.34, SuSE 5.2), but module is still present on my desktop (2.2.11-4, Indy 6.0-0.8) box, so I assume it is still required for 2.2* kernels.] HTH, David -- David Webster | cognite.net | Project Independence Linux, Security: cog@seul.org | cogito, ergo sum | http://independence.seul.org/security/ Our moral progression cannot begin until we have independence
Date: Sat, 15 Jan 2000 13:25:32 +0000 (GMT) From: cogNiTioN
X-COPYRIGHT: (C) Copyright 1999 cogNiTioN where applicable. No part of X-COPYRIGHT2: this message may be reproduced without prior permission. ... root # insmod ip_masq_ftp should do the trick. The ftp mod has to be loaded for ftp to work on masq'ed boxes.
[Note: Used on an ipfwadm box (2.0.34, SuSE 5.2), but module is still present on my desktop (2.2.11-4, Indy 6.0-0.8) box, so I assume it is still required for 2.2* kernels.] ...
-- re-cognition -- I take the freedom to understand your posting to this list as general permission for reproducing the above globally distributed message partialy or in full. B.T.W. Is there any law that forces me to read/follow non-standard mail-headers? -- There is nothing wrong with the answer on 'ftp across firewall (ipchain)'. But as an add-on: The need to use the 'ip_masq_ftp' module is not as closely related to the version of linux kernel as you may think. There are some ftp specials. The problem in filtering or masquerading with ftp is that the protocol does rely on two parts: ftp-data (tcp-port 20) and ftp-control (tcp-port 21). In addition to that there are _active mode_ and _passive mode_ ftp-connections. ftp-filtering: a) Web-browsers default to passive mode; client makes every data-connections to server, even for incoming data. b) Classic ftp uses active mode; remote server opens tcp-connection port 20 to send ftp-data to the requesting client. You should allow packets with SYN here. Both in a) + b) you need ftp-data (tcp-port 20) and ftp-control (tcp-port 21). ftp-masquerading: As ftp uses two channels called ftp-control and ftp-data for each single session these two flows need special handling in masquerading. All packets from both channels have to be redirected correctly to allow ftp with masquerading. This is were the need to install the above mentioned module 'ip_masq_ftp' comes from. Have a closer look into the 'Linux IP-Chains HOWTO' authored by Paul Russel. It's very worth reading. --------------------------------- WATCH FOR THE 2000 EICAR Annual Conference in Brussels, March 4th-7th, 2000. http://www.eicar.dk/ eicar-online: http://www.eicar.org/ --------------------------------- Hans von Sommerfeld, Freelance IT-Consultant snoopy@redbaron.bir.uunet.de Tel.: +49 30 65470891 Fax:+49 30 65470892
participants (3)
-
cogNiTioN
-
Hans v. Sommerfeld
-
Thorsten Marquardt