HiHO...
If it realy was an aktive ftp connection, the dest. port should be 20 and not the source port, like here. IMHO it was a portscan, no ftp.
yes ! But why this rule ? You have to open the dest. Port, not the source Port:
ipchains -A input -p tcp -s ! $INTERNAL --dport 20 -j ACCEPT
or better:
ipchains -A input -p tcp -s ! $INTERNAL -d $INTERNAL 20 -j ACCEPT
that's wrong. an *active* ftp-session works like that: -> the client opens command channel to server port 21: client 1023: --> server 21 -> and then the server opens the data channel from port 20 to the client: client 1023: <-- server 20 that's the reason, why it's quite ugly to use active ftp through a packet filter. you have to allow incoming packages without ack-bit (initializing a connection) from every host in the internet to every port above 1023. and because it's not difficult to start a connection from port 20 when you've got root permissions, an attacker can open connections through your filter to every port above 1023.
I think it works ! The packets are demasqueraded automaticaly by the kernel.
that was, what i didn't know for sure. if the kernel does it, is it possible to avoid it with unloading ip_masq_ftp ??
an aktive ftp-request uses the oposite ports: 1023: -> 20 not 20 -> 1023:
see above...
ftp. but i don't think, it was really a scan. it won't be possible to adress a package to an adress with 192.168.x.x - it never would find the way to you. it would be only possible to scan that host from within your net and for this your router must be hacked and the sender adress would not be from outside your network.
ip-spoofing ?
in that case i think the sender-adress should be something within the inetrnal net and no ip-adress from anywhere else ??
source-routing ?
i think the standard kernels should be compiled with "drop source routed packages" ???
I don`t know the suse-firewall-script, but IMHO it is no good idea to use a firewall script which you don`t fully understand.
it's a script, which allows very much configuration with variables, and due to this it's creating a lot of rules, which are quite complicated to understand in short time. that's the reason, why i don't use it. but i think, it's better to use this package in a wuite good configuration, than using something selfmade, which looks more strange... stephan ____________________________________________________________ | .~. s.martin@odn.de | | /V\ fon +49(0)911.2256 03 | | /( )\ fax +49(0)911.2256 06 | | ^`~'^ mobile +49(0)173.380 43 12 | | pgp: http://www.xhponozon.com/keys/stephan.asc | |___________________________________________________________|