SuSEfirewall2 FTP problems since update to 10.0
Hello All! I have a box that is acting as a masquerading firewall between a lan and the great WWW. I used to have a rule for a subnet of machines that were only allowed to FTP due to web abuse issues. This was in SuSEfirewall2 in 9.1. I have just upgraded to 10.0 and now Active FTP is broken. The relative lines were: 192.168.20.224/28,0/0,tcp,20 192.168.20.224/28,0/0,udp,20 192.168.20.224/28,0/0,tcp,21 192.168.20.224/28,0/0,udp,21 in FW_MASQ_NETS. It worked great. Now my FTP clients stop dead in their tracks at the PORT command. The end of the transaction in ethereal reveals: 209 2.017000 192.168.20.226 208.113.147.155 FTP Request: PWD 2001 21 252 2.099551 208.113.147.155 192.168.20.226 FTP Response: 257 "/" is current directory. 21 2001 253 2.114193 192.168.20.226 208.113.147.155 FTP Request: PORT 192,168,20,226,7,210 2001 21 261 2.367009 208.113.147.155 192.168.20.226 FTP [TCP Out-Of-Order] Response: 257 "/" is current directory. 21 2001 262 2.367168 192.168.20.226 208.113.147.155 TCP dc > ftp [ACK] Seq=73 Ack=229 Win=65307 Len=0 2001 21 268 3.336464 192.168.20.226 208.113.147.155 FTP [TCP Retransmission] Request: PORT 192,168,20,226,7,210 2001 21 616 5.961397 192.168.20.226 208.113.147.155 FTP [TCP Retransmission] Request: PORT 192,168,20,226,7,210 2001 21 1025 11.211392 192.168.20.226 208.113.147.155 FTP [TCP Retransmission] Request: PORT 192,168,20,226,7,210 2001 21 1976 21.711380 192.168.20.226 208.113.147.155 FTP [TCP Retransmission] Request: PORT 192,168,20,226,7,210 2001 21 Never is there a single port 20 record line. Outside of the out of order line (which doesn't always show up), I don't see anything wrong up till here. It used to work fine. What happened? I can get passive FTP to work but it requires opening outbound high ports to the abusers who then IM and chat all day long. Any help is greatly appreciated. Mike
Hello All!
I have a box that is acting as a masquerading firewall between a lan and the great WWW. I used to have a rule for a subnet of machines that were only allowed to FTP due to web abuse issues. This was in SuSEfirewall2 in 9.1. I have just upgraded to 10.0 and now Active FTP is broken. The relative lines were:
192.168.20.224/28,0/0,tcp,20 192.168.20.224/28,0/0,udp,20 192.168.20.224/28,0/0,tcp,21 192.168.20.224/28,0/0,udp,21
in FW_MASQ_NETS. It worked great. Now my FTP clients stop dead in their tracks at the PORT command.
Try the last block (nr 32.) in SFW: FW_LOAD_MODULES="ip_nat_ftp"
The end of the transaction in ethereal reveals:
-- L. de Braal BraHa Systems NL - Terneuzen T +31 115 649333 F +31 115 649444
On Wed, 2006-11-01 at 23:14 +0100, Leen de Braal wrote:
Hello All!
I have a box that is acting as a masquerading firewall between a lan and the great WWW. I used to have a rule for a subnet of machines that were only allowed to FTP due to web abuse issues. This was in SuSEfirewall2 in 9.1. I have just upgraded to 10.0 and now Active FTP is broken. The relative lines were:
192.168.20.224/28,0/0,tcp,20 192.168.20.224/28,0/0,udp,20 192.168.20.224/28,0/0,tcp,21 192.168.20.224/28,0/0,udp,21
in FW_MASQ_NETS. It worked great. Now my FTP clients stop dead in their tracks at the PORT command.
Try the last block (nr 32.) in SFW:
FW_LOAD_MODULES="ip_nat_ftp"
That fixed it. After a little research, I see these kernel modules are directly applicable to netfilter / iptables. Is there somewhere that they are well documented? I searched http://www.netfilter.org/ for a while and couldn't find any clear detail on ip_nat_ftp and ip_conntrack_ftp or if there's even any other modules that might be useful. Thanks! Mike
On Wed, 2006-11-01 at 23:14 +0100, Leen de Braal wrote:
Hello All!
in FW_MASQ_NETS. It worked great. Now my FTP clients stop dead in their tracks at the PORT command.
Try the last block (nr 32.) in SFW:
FW_LOAD_MODULES="ip_nat_ftp"
That fixed it. After a little research, I see these kernel modules are directly applicable to netfilter / iptables. Is there somewhere that they are well documented? I searched http://www.netfilter.org/ for a while and couldn't find any clear detail on ip_nat_ftp and ip_conntrack_ftp or if there's even any other modules that might be useful.
If you want to know more about the innerdepths of netfilter, maybe you should subscribe to one of their mailinglists. But on the site is quite a lot of documentation. I did not search it for ip_nat_ftp, so I do not know if there is something in there already. IPtables is a work in progress, new modules getting born from time to time.
Thanks!
Mike
-- L. de Braal BraHa Systems NL - Terneuzen T +31 115 649333 F +31 115 649444
FW_LOAD_MODULES="ip_nat_ftp"
That fixed it. After a little research, I see these kernel modules are directly applicable to netfilter / iptables. Is there somewhere that they are well documented? I searched http://www.netfilter.org/ for a while and couldn't find any clear detail on ip_nat_ftp and ip_conntrack_ftp or if there's even any other modules that might be useful.
If you want to know more about the innerdepths of netfilter, maybe you should subscribe to one of their mailinglists. But on the site is quite a lot of documentation. I did not search it for ip_nat_ftp, so I do not know if there is something in there already. IPtables is a work in progress, new modules getting born from time to time.
Try http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO.htm l
participants (3)
-
Administrator -
Leen de Braal -
Mike Branda