RE: [suse-security] probs with ftp-masquerading
Okay, I've now learned a lot of security-wisdom and that the SuSE-firewall 2 is a damned good tool (something I already knew). But my problem is still unsolved. For any reasons ftp-masquerading doesn't work. I tried what Ralf recommended, but the two iptables-commands didn't have any result (okay, maybe they had, but they didn't enable ftp-masquerading). I also looked for the modules ip_conntrack_ftp and ip_nat_ftp as GertJan told me. I had no luck to find the first one anywhere on my system although the FW-Packe is installed. The second one is there and I did an insmod, but this also didn't solve the problem. Ah yes, Lars pointed me to an error I made. Of course I didn't install my system from the crab, but from the scratch. Funny to image a crab with SuSE-Linux tied on the back :-) To Roman: Of course you are right, but as I already mentioned, I have to live with DAUs in my LAN, and it's hard enough to have my phone actually ringing like hell because this damn ftp doesn't work. By now I only answer "I'm working on it and I'll send a message to all users when it's working again..."; but to imagine to have to explain all users what FTP-passive-mode is and how and why it must be used, is as hard as to imagine that my mother-in-law is going to stay for more than one week (one week is bad enough, but more will ruin my nerves *sigh*). I really don't know which one I would prefer if I had only these two choices... Anyway, could someone help me in solving my problem ? I'm sure out there on this list are lots of iptables-freaks knowing nearly all tricks one can do with it and it should be no big problem for them to find out how to enable this ftp-masquerading. Thanks in advance Stephan
I got similar problem last time. Found out that I had to let through
port "ftp-data" as well as "ftp".
I think they are ports 21 and 22 respectively. My original firewall config
only let thru
port "ftp", that's why I could connect to an ftp server, but could not get a
dir listing.
azman
----- Original Message -----
From: OKDesign oHG Security Administrator
Okay,
I've now learned a lot of security-wisdom and that the SuSE-firewall 2 is a damned good tool (something I already knew). But my problem is still unsolved. For any reasons ftp-masquerading doesn't work. I tried what Ralf recommended, but the two iptables-commands didn't have any result (okay, maybe they had, but they didn't enable ftp-masquerading). I also looked for the modules ip_conntrack_ftp and ip_nat_ftp as GertJan told me. I had no luck to find the first one anywhere on my system although the FW-Packe is installed. The second one is there and I did an insmod, but this also didn't solve the problem. Ah yes, Lars pointed me to an error I made. Of course I didn't install my system from the crab, but from the scratch. Funny to image a crab with SuSE-Linux tied on the back :-) To Roman: Of course you are right, but as I already mentioned, I have to live with DAUs in my LAN, and it's hard enough to have my phone actually ringing like hell because this damn ftp doesn't work. By now I only answer "I'm working on it and I'll send a message to all users when it's working again..."; but to imagine to have to explain all users what FTP-passive-mode is and how and why it must be used, is as hard as to imagine that my mother-in-law is going to stay for more than one week (one week is bad enough, but more will ruin my nerves *sigh*). I really don't know which one I would prefer if I had only these two choices...
Anyway, could someone help me in solving my problem ? I'm sure out there on this list are lots of iptables-freaks knowing nearly all tricks one can do with it and it should be no big problem for them to find out how to enable this ftp-masquerading.
Thanks in advance
Stephan
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi, what do you think about proxy-suite from SuSE? Ciao ;-) Robert Azman Salleh wrote:
I got similar problem last time. Found out that I had to let through port "ftp-data" as well as "ftp". I think they are ports 21 and 22 respectively. My original firewall config only let thru port "ftp", that's why I could connect to an ftp server, but could not get a dir listing.
azman
----- Original Message ----- From: OKDesign oHG Security Administrator
To: Sent: Tuesday, January 22, 2002 3:24 PM Subject: RE: [suse-security] probs with ftp-masquerading Okay,
I've now learned a lot of security-wisdom and that the SuSE-firewall 2 is
a
damned good tool (something I already knew). But my problem is still unsolved. For any reasons ftp-masquerading doesn't work. I tried what Ralf recommended, but the two iptables-commands didn't have
any
result (okay, maybe they had, but they didn't enable ftp-masquerading). I also looked for the modules ip_conntrack_ftp and ip_nat_ftp as GertJan told me. I had no luck to find the first one anywhere on my system
although
the FW-Packe is installed. The second one is there and I did an insmod,
but
this also didn't solve the problem. Ah yes, Lars pointed me to an error I made. Of course I didn't install my system from the crab, but from the scratch. Funny to image a crab with SuSE-Linux tied on the back :-) To Roman: Of course you are right, but as I already mentioned, I have to live with DAUs in my LAN, and it's hard enough to have my phone actually ringing like hell because this damn ftp doesn't work. By now I only answer "I'm working on it and I'll send a message to all users when it's working again..."; but to imagine to have to explain all users what
FTP-passive-mode
is and how and why it must be used, is as hard as to imagine that my mother-in-law is going to stay for more than one week (one week is bad enough, but more will ruin my nerves *sigh*). I really don't know which
one
I would prefer if I had only these two choices...
Anyway, could someone help me in solving my problem ? I'm sure out there
on
this list are lots of iptables-freaks knowing nearly all tricks one can do with it and it should be no big problem for them to find out how to enable this ftp-masquerading.
Thanks in advance
Stephan
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi again, I now found out that the problem seems to be in masquerading. I tried to connect via DOS-ftp and now get a error-message I can understand. The remote-server tells "Illegal PORT command" and "Connection refused". It seems as if my router doesn't masquerade ftp-connections correctly and tells PORT 192.168.0.xxx.xx.xx and of course this can't work. Maybe this is the cause ? How do I enable the masquerading also for ftp ? Thanks in advance Stephan
participants (3)
-
Azman Salleh
-
OKDesign oHG Security Administrator
-
Robert Rottscholl