RE: [suse-security] SuSEfirewall2 and Active ftp
I got this working ONLY by masquerading and only from one direction (internal lan) to the other (external lan). The other way around will most probably only work if you have a FTP server in a DMZ. This is my config (with masquerading) FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21 172.19.0.0/16,0/0,tcp,80" FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" I am my self using a SuSE firewall between two lans. Another solution might be to use SuSE firewall in combination with Squid or so, but I am working on this issue my self currently. Cheers -----Original Message----- From: André Sänger [mailto:Andre.Saenger@gmx.de] Sent: Wednesday, July 16, 2003 4:46 PM To: suse-security@suse.com Subject: [suse-security] SuSEfirewall2 and Active ftp Hallo suse-security, I´m still not sure how to configure SuSEfirewall2 to get active ftp working. The Server is between two LANs and doing no masquerading. from the config: FW_FORWARD="[...] \ myip,ftpserverip,tcp,21 \ myip,ftpserverip,tcp,20" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" Now if I try to establish a connection I get a connect, but when trying to list the ftp-dir the ftp client hangs. The firewall-log says: Jul 16 16:13:51 [firewallmachine] kernel: SuSE-FW-DROP-DEFAULT IN=eth1 OUT=eth0 SRC=[ftpserverip] DST=[myip] LEN=60 TOS=0x08 PREC=0x00 TTL=62 ID=46457 DF PROTO=TCP SPT=20 DPT=1137 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A16229CFF0000000001030300) What else is needed to get active ftp working through SuSEfirewall2? If I insert a rule like $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state ESTABLISHED,RELATED -d $quelle -s $ziel -p tcp --sport 20 in SuSEfirewall2-custom active ftp works again, but I don´t think that´s the proper way? There has to be something in /etc/sysconfig/SuSEfirewall2 I´m missing. The Firewall machine is running SuSE8.2Professional, Kernel 2.4.20-4GB-athlon -- Mit freundlichen Grüßen, André Sänger mailto:Andre.Saenger@gmx.de -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hello Knut, Wednesday, July 16, 2003, 5:07:27 PM, you wrote:
I got this working ONLY by masquerading and only from one direction (internal lan) to the other (external lan). The other way around will most probably only work if you have a FTP server in a DMZ.
Ok, but this would mean for the ftp server that all incoming connection would originate from the firewall machine, so I can´t configure it to only allow connections from some special ip adresses in the internal lan, right? -- Best regards, André mailto:Andre.Saenger@gmx.de
participants (2)
-
André Sänger
-
Knut Erik Hauslo