All right, hello again, i have found chapter 11 in the /etc/sysconfig/SuSEfirewall2 config file. # 11.) # How is access allowed to high (unpriviliged [above 1023]) ports? # # You may either allow everyone from anyport access to your highports ("yes"), # disallow anyone ("no"), anyone who comes from a defined port (portnumber or # known portname) [note that this is easy to circumvent!], or just your # defined nameservers ("DNS"). # Note that you can't use rpc requests (e.g. rpcinfo, showmount) as root # from a firewall using this script (well, you can if you include range # 600:1023 in FW_SERVICES_EXT_UDP ...). # Please note that with v2.1 "yes" is not mandatory for active FTP from # the firewall anymore. # # Choice: "yes", "no", "DNS", portnumber or known portname, defaults to "no" # if not set # # Common: "ftp-data", better is "yes" to be sure that everything else works :-( #FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" # Common: "DNS" or "domain ntp", better is "yes" to be sure ... FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" and have added the FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" line and now it works all right... i wonder why the behaviour of a squid ftp connection is different from a direct ftp client connection on the squid/suse8 box itself... i guess i am not into the details of the related connections stuff... Thanks anyways, Andy ----- Original Message ----- From: "Andreas Bittner" <bittner@stud.fh-heilbronn.de> To: <suse-security@suse.com> Sent: Saturday, September 07, 2002 11:24 PM Subject: [suse-security] cant do ftp through squid (susefirewall2 problem with high ports??) Hello all, i dont know how to make susefirewall2 work on a suse8 box running squid when trying to ftp with the squid proxy. these are my logs for example: Sep 7 23:17:58 box kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=212.123.225.148 DST=XXX.X.XXX.XX LEN=48 TOS=0x08 PREC=0x00 TTL=113 ID=55284 DF PROTO=TCP SPT=20 DPT=10269 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Sep 7 23:18:01 box kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=212.123.225.148 DST=XXX.X.XXX.XX LEN=48 TOS=0x08 PREC=0x00 TTL=113 ID=56412 DF PROTO=TCP SPT=20 DPT=10269 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Sep 7 23:18:08 box kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=212.123.225.148 DST=XXX.X.XXX.XX LEN=48 TOS=0x08 PREC=0x00 TTL=113 ID=58314 DF PROTO=TCP SPT=20 DPT=10269 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) seems that my connection from the susefirewall2/squid box to the ftp server outside (here ftp.asuscom.de) gets replied to a high port 10260 on my box for the dataconnection (port20) ... what is the proper settings for susefirewall2 to accept this connection (its actually a related connection isnt it?) why doesnt susefirewall/conntrack_ftp or something catch/accept this when the squid is trying to access ftp servers on the inet? i can ftp directly without the squid from the inside lan without any problems, and an ftp client directly on the suse8/squid box can also ftp without problems. only the squid when it wants to connect to ftp sites comes up with these errors and wont connect.... what am i doing wrong? does my squid needs reconfiguring? thanks for any help. cheers, Andy -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here