Mailinglist Archive: opensuse-security (575 mails)
| < Previous | Next > |
RE: [suse-security] ftp from internal to DMZ
- From: mailinglists@xxxxxxxxx
- Date: Tue, 5 Nov 2002 18:01:01 +0100
- Message-id: <31347F3CE518D6118ACB00A0246AD0560B2437@xxxxxxxxxxxx>
Hi
> Hi, I have a firewall setup with EXT, DMZ and internal
> network. The DMZ
> houses a webserver and ftp server. I can access the webserver and ftp
> server from the internet but only the web server from
> internal. The ftp
> server authenticates but can't open return ports back to internal. My
> current setup on FW_FORWARD is like this:
>
> FW_FORWARD="192.168.1.0/24,192.168.2.2,tcp,80
> 192.168.1.0/24,192.168.2.2,tcp,21"
>
> I have tried various other settings and I even tried adding
>
> 192.168.2.2,192.168.1.0/24,tcp
>
> to allow the return traffic on any port but I cant get it to work. How
> can I get this to work?
ftp is a bit a tricky protocol.
I don't know about suse firewall, I just can give you general tips. I hope
they will help
You must distinct between active ftp or passive ftp. Since you're running
iptables (suse firewall uses iptables) you probably will be using passive
ftp. In that case you should open at least these ports
from LAN -> DMZ
src port dst port iptables match -m
1024: 21 -m --state NEW, ESTABLISHED
1024: all -m --state ESTABLISHED, RELATED
from DMZ -> LAN
src port dst port iptables match -m
21 1024: -m --state ESTABLISHED
all 1024: -m --state ESTABLISHED
the iptables target of course is always -j ACCEPT.
Port 21 is ftp control port. Port 20 usually is ftp-data port. Using passive
ftp the data port is negotiated between the ftp server and the client. Thus,
ftp data src port can be above 1024.
HTH
Philipp
| < Previous | Next > |