[opensuse-security] SuSEfirewall2 on an FTP server
Hello, I have problems setting up SuSEfirewall2 on a server with openSUSE 11.0 and vsftpd running. The problem is that I didn't find out the correct configuration for FTP - I can login using a FTP client, but when I try to upload files or request a directory listing, I clash with the firewall :-( /var/log/firewall reports: Nov 5 15:18:22 server kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=... SRC=... DST=... LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=41696 DF PROTO=TCP SPT=56320 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (0402080A0008693000000000020405B401030306) Nov 5 15:18:26 server kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=... SRC=... DST=... LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=24251 DF PROTO=TCP SPT=46127 DPT=35967 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (0402080A00086D3900000000020405B401030306) Nov 5 15:18:29 server kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=... SRC=... DST=... LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=24252 DF PROTO=TCP SPT=46127 DPT=35967 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (0402080A0008702700000000020405B401030306) Nov 5 15:18:35 server kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=... SRC=... DST=... LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=24253 DF PROTO=TCP SPT=46127 DPT=35967 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (0402080A0008760300000000020405B401030306) (SRC is always the FTP client, DST is always the server) Firewall settings: grep '^[^#]' /etc/sysconfig/SuSEfirewall2 FW_DEV_EXT="any eth0" FW_DEV_INT="" FW_DEV_DMZ="" FW_ROUTE="no" FW_MASQUERADE="no" FW_MASQ_DEV="zone:ext" FW_MASQ_NETS="0/0" FW_NOMASQ_NETS="" FW_PROTECT_FROM_INT="no" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_CONFIGURATIONS_EXT="apache2 apache2-ssl courier-imap courier-imap-ssl postfix vsftpd" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_CONFIGURATIONS_DMZ="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_INT_RPC="" FW_CONFIGURATIONS_INT="" FW_SERVICES_DROP_EXT="" FW_SERVICES_DROP_DMZ="" FW_SERVICES_DROP_INT="" FW_SERVICES_REJECT_EXT="" FW_SERVICES_REJECT_DMZ="" FW_SERVICES_REJECT_INT="" FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,,hitcount=5,blockseconds=300,recentname=ssh" FW_SERVICES_ACCEPT_DMZ="" FW_SERVICES_ACCEPT_INT="" FW_SERVICES_ACCEPT_RELATED_EXT="" FW_SERVICES_ACCEPT_RELATED_DMZ="" FW_SERVICES_ACCEPT_RELATED_INT="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_ALLOW_INCOMING_HIGHPORTS_UDP="" FW_FORWARD="" FW_FORWARD_REJECT="" FW_FORWARD_DROP="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG_LIMIT="" FW_LOG="" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_SOURCEQUENCH="" FW_ALLOW_FW_BROADCAST_EXT="no" FW_ALLOW_FW_BROADCAST_INT="no" FW_ALLOW_FW_BROADCAST_DMZ="no" FW_IGNORE_FW_BROADCAST_EXT="yes" FW_IGNORE_FW_BROADCAST_INT="no" FW_IGNORE_FW_BROADCAST_DMZ="no" FW_ALLOW_CLASS_ROUTING="" FW_CUSTOMRULES="" FW_REJECT="" FW_REJECT_INT="yes" FW_HTB_TUNE_DEV="" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="" FW_IPSEC_TRUST="no" FW_ZONES="" FW_USE_IPTABLES_BATCH="" FW_LOAD_MODULES="ip_conntrack_ftp" FW_FORWARD_ALWAYS_INOUT_DEV="" FW_FORWARD_ALLOW_BRIDGING="" Settings that are dropped in via FW_CONFIGURATIONS_EXT: # grep '^[^#]' apache2 apache2-ssl courier-imap courier-imap-ssl \ postfix vsftpd apache2:TCP="http" apache2:UDP="http" apache2:RPC="" apache2:IP="" apache2:BROADCAST="" apache2-ssl:TCP="https" apache2-ssl:UDP="https" apache2-ssl:RPC="" apache2-ssl:IP="" apache2-ssl:BROADCAST="" courier-imap:TCP="imap pop3" courier-imap:UDP="" courier-imap:RPC="" courier-imap:IP="" courier-imap:BROADCAST="" courier-imap-ssl:TCP="imaps pop3s" courier-imap-ssl:UDP="" courier-imap-ssl:RPC="" courier-imap-ssl:IP="" courier-imap-ssl:BROADCAST="" postfix:TCP="25 465" postfix:UDP="" postfix:RPC="" postfix:IP="" postfix:BROADCAST="" vsftpd:TCP="ftp ftp-data" vsftpd:UDP="ftp-data" vsftpd:RPC="" vsftpd:IP="" vsftpd:BROADCAST="" # lsmod |grep conn nf_conntrack_ipv6 36424 0 nf_conntrack_ftp 27320 0 nf_conntrack_ipv4 29576 3 iptable_nat,nf_nat nf_conntrack 91536 6 nf_conntrack_ipv6,xt_state,iptable_nat, nf_nat,nf_conntrack_ftp,nf_conntrack_ipv4 ipv6 331544 31 ip6t_REJECT,nf_conntrack_ipv6,ip6table_mangle What do I have to change in my configuration to allow FTP through the firewall? Regards, Christian Boltz --
[GMX] Laut Heise-Newsticker machen die eine Migration irgendwelcher Datenbestände ...Migration? Von /dev/hda nach /dev/null? [> Jan Trippler und Ratti in suse-linux]
To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (3)
-
Christian Boltz
-
Ludwig Nussel
-
Roman Drahtmueller