Hi! I want to use active-ftp with some clients behind my gateway-pc (ipchains-masquerading)... (passive ftp works) How do I configure my ipchains-firewall to allow this? I hope someone can help me... Bye.
Hi
I want to use active-ftp with some clients behind my gateway-pc (ipchains-masquerading)... (passive ftp works) How do I configure my ipchains-firewall to allow this?
I hope someone can help me...
Deconfigure all passive ftp components and open your firewall for tcp/20,21,1024: HTH Philipp
Hi!
I want to use active-ftp with some clients behind my gateway-pc (ipchains-masquerading)... (passive ftp works) How do I configure my ipchains-firewall to allow this?
I hope someone can help me...
PS> Deconfigure all passive ftp components and open your firewall for PS> tcp/20,21,1024: That didn't work for me... I have "allow-all-rules" for input, ouput and forward and I didn't deny tcp/20,21,1024... I have just deny-rules for some ports and one forwarding rule: ipchains -A forward -s 0.0.0.0/0.0.0.0 -d ! 192.168.0.0/255.255.0.0 -j MASQ With this I can do passive ftp - but active ftp sucks... :-( Bye.
Hi!
I want to use active-ftp with some clients behind my gateway-pc (ipchains-masquerading)... (passive ftp works) How do I configure my ipchains-firewall to allow this?
I hope someone can help me...
PS> Deconfigure all passive ftp components and open your firewall for PS> tcp/20,21,1024:
That didn't work for me... I have "allow-all-rules" for input, ouput and forward and I didn't deny tcp/20,21,1024...
I have just deny-rules for some ports and one forwarding rule: ipchains -A forward -s 0.0.0.0/0.0.0.0 -d ! 192.168.0.0/255.255.0.0 -j MASQ
With this I can do passive ftp - but active ftp sucks... :-(
But why do you want to change it? It is not advisable. Maybe you should reconfigure your firewall the way Squid is doing http, https and pasv ftp job for you. Doing so you can save up some of the rule set and make it a more secure firewall. You could also configure Bind as a Cache DNS making it kinda DNS proxy. Then you would only have left smtp, pop3 and all the rest you need making it an easy job to configure. Philipp
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi, On Mon, May 21, Philipp Snizek wrote:
But why do you want to change it? It is not advisable. Maybe you should reconfigure your firewall the way Squid is doing http, https and pasv ftp job for you. Doing so you can save up some of the rule set and make it a more secure firewall. You could also configure Bind as a Cache DNS making it kinda DNS proxy. Then you would only have left smtp, pop3 and all the rest you need making it an easy job to configure.
Maybe Hasi's patches for dynamic FTP PORT firewall rules is what you're looking for: http://www.suse.de/~mha/index-next.html "For Linux kernel 2.2.x. This patch introduces automatically created, kernel maintained, dynamic firewall rules for firewalling FTP connections. It allows active FTP data connections without opening the firewall, by scanning for the PORT command in FTP command connections and creating a dynamic (i.e. it times out eventually - default 3 minutes, if unused) firewall rule for the data connection. See the README for what it does. People have reported that it works very well for them."
Philipp -o) Hubert Mantel Goodbye, dots... /\\ _\_v
Hi! I think you need the module ip_masq_ftp.o to masquarade active ftp with ipchains, aren't you? So it works fine for me. Perhaps take a look at http://www.linux-firewall-tools.com/linux/. Hope thats you are looking for! Christian Am Montag, 21. Mai 2001 10:09 schrieben Sie:
Hi!
I want to use active-ftp with some clients behind my gateway-pc (ipchains-masquerading)... (passive ftp works) How do I configure my ipchains-firewall to allow this?
I hope someone can help me...
PS> Deconfigure all passive ftp components and open your firewall for PS> tcp/20,21,1024:
That didn't work for me... I have "allow-all-rules" for input, ouput and forward and I didn't deny tcp/20,21,1024...
I have just deny-rules for some ports and one forwarding rule: ipchains -A forward -s 0.0.0.0/0.0.0.0 -d ! 192.168.0.0/255.255.0.0 -j MASQ
With this I can do passive ftp - but active ftp sucks... :-(
Bye.
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi! CU> I think you need the module ip_masq_ftp.o to masquarade active ftp with CU> ipchains, aren't you? So it works fine for me. Perhaps take a look at CU> http://www.linux-firewall-tools.com/linux/. CU> Hope thats you are looking for! CU> Christian ..ip_masq_ftp.o would be a good solution, but it seems to me that it just works with kernel 2.2.x and not with 2.4.x .. !? If there is a possibilty to use it with 2.4.x (ipchains-compatibility) I would like to know about... Meanwhile I also took a look at Netfilter/Iptables and set up a masquerading-rule that works fine so far... but I have the same ftp-problem: ;-) How can I realize active ftp-connections from the clients behind a netfilter/iptables-gateway-pc? Bye.
participants (4)
-
Christian Uhde -
da_bug -
Hubert Mantel -
Philipp Snizek