SuSEfirewall2 and ftp-data port
Hi List, Does anyone know how SuSEfirewall2 works with ftp-data port? I need active ftp from firewall host, and I have to set FW_ALLOW_INCOMING_HIGHPORTS="ftp-data". In this case active ftp works, but SuSEfirewall2 allows incoming connections from port 20 to any high TCP port. If it works this (insecure) way - what is kernel module ip_conntrack_ftp for? -- Thank you, Vadim Kouzmine
Hi Vadim!
I need active ftp from firewall host, and I have to set FW_ALLOW_INCOMING_HIGHPORTS="ftp-data". In this case active ftp works, but SuSEfirewall2 allows incoming connections from port 20 to any high TCP port.
There is a known bug in v2.1 of SuSEfirewall2 as shipped with SuSE 8.0 which prevents active FTP from working correctly. If you need active FTP from the firewall, you can try to apply the following patch and tell me if it worked. AFAIK, this bug is fixed in v3.1 (SuSE 8.1). Regards, Andy --- SuSEfirewall2.orig Sat Mar 23 20:24:47 2002 +++ SuSEfirewall2 Tue Nov 5 00:18:48 2002 @@ -931,9 +931,11 @@ DONE_ALL=no test "$FW_ALLOW_INCOMING_HIGHPORTS_TCP" = yes || { + for CHAIN in input_int input_dmz input_ext; do $LAC $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT " -p tcp --dport 1024:65535 --syn $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT " -p tcp --dport 1024:65535 $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state ESTABLISHED,RELATED -p tcp --dport 1024:65535 + done } for j in $FW_ALLOW_INCOMING_HIGHPORTS_TCP; do case "$j" in @@ -1089,8 +1091,10 @@ DONE_ALL=no test "$FW_ALLOW_INCOMING_HIGHPORTS_UDP" = yes || { + for CHAIN in input_int input_dmz input_ext; do $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT " -p udp --dport 1024:65535 $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state ESTABLISHED,RELATED -p udp --dport 1024:65535 + done } for j in $FW_ALLOW_INCOMING_HIGHPORTS_UDP; do case "$j" in
Hi Andy and List! Thank you for comments - I downloaded latest SuSEfirewall2 (from update dir for SuSE 8.1), rebuilt it on my Slackware 8.0, and everything just got working fine (both active ftp from firewall and even passive ftp to firewall - I have all incoming high port closed!). Now I'm going to port it on the main network firewall on SuSE 7.1 I used SuSEfirewall2 v2.1 before because I thought THIS IS THE LATEST version :( Unfortunately Marc doesn't change versions on his web page (http://www.suse.de/~marc/SuSE.html). I guess many people (like me) use SuSEfirewall on old SuSEs or even other linux distributions. -- Thank you, Vadim Kouzmine On Monday 04 November 2002 18:30, Andreas J Mueller wrote:
Hi Vadim!
I need active ftp from firewall host, and I have to set FW_ALLOW_INCOMING_HIGHPORTS="ftp-data". In this case active ftp works, but SuSEfirewall2 allows incoming connections from port 20 to any high TCP port.
There is a known bug in v2.1 of SuSEfirewall2 as shipped with SuSE 8.0 which prevents active FTP from working correctly. If you need active FTP from the firewall, you can try to apply the following patch and tell me if it worked. AFAIK, this bug is fixed in v3.1 (SuSE 8.1).
Regards, Andy
Hi Vadim!
I need active ftp from firewall host, and I have to set FW_ALLOW_INCOMING_HIGHPORTS="ftp-data". In this case active ftp works, but SuSEfirewall2 allows incoming connections from port 20 to any high TCP port.
There is a known bug in v2.1 of SuSEfirewall2 as shipped with SuSE 8.0 which prevents active FTP from working correctly. If you need active FTP from the firewall, you can try to apply the following patch and tell me if it worked. AFAIK, this bug is fixed in v3.1 (SuSE 8.1).
Thanks for the effort. I have built packages for 8.0, to be downloaded at ftp://ftp.suse.com/pub/people/draht/8.0/. Please send me a brief comment about the remains of the problems - I'll have the package showing up in YOU for 8.0 then.
Regards, Andy
--- SuSEfirewall2.orig Sat Mar 23 20:24:47 2002 +++ SuSEfirewall2 Tue Nov 5 00:18:48 2002 @@ -931,9 +931,11 @@
Thanks,
Roman.
--
- -
| Roman Drahtmüller
* Roman Drahtmueller;
Thanks for the effort. I have built packages for 8.0, to be downloaded at ftp://ftp.suse.com/pub/people/draht/8.0/. Please send me a brief comment about the remains of the problems - I'll have the package showing up in YOU for 8.0 then.
Now there are also packages at ftp.suse.com/pub/people/garloff/linux/SuSE Can you please give version numbers as it looks like more than one is maintaining the package ( or atleast it looks like this from this end ) -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Thanks for the effort. I have built packages for 8.0, to be downloaded at ftp://ftp.suse.com/pub/people/draht/8.0/. Please send me a brief comment about the remains of the problems - I'll have the package showing up in YOU for 8.0 then.
Now there are also packages at ftp.suse.com/pub/people/garloff/linux/SuSE
Can you please give version numbers as it looks like more than one is maintaining the package ( or atleast it looks like this from this end )
This is not the official place where you can expect update packages to show up. By consequence, both directories are valid, with the exception that I said that the packages in directory fix the problem we're at. If you use some package from a people directory, you must know what you're doing.
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Roman.
participants (4)
-
Andreas J Mueller
-
Roman Drahtmueller
-
Togan Muftuoglu
-
Vadim Kouzmine