AW: [suse-security] SuseFirewall2 DMZ
Proftd running becouse i have the log message of proftpd
* Frédéric Poulet;
on 14 Nov, 2002 wrote: when i use ftp service from firewall i have logs: Jan 23 12:40:11 linux kernel: SuSE-FW-REJECT IN=eth2 OUT= MAC=00:40:f4:3d:89:4b:00:e0:18:a6:7d:17:08:00 SRC=192.168.5.2 DST=192.168.5.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55868 DF PROTO=TCP SPT=32983 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A0430C8600000000001030300) I think the following happens: You start an ftp request to your server (your web server I think). Before your server answers, it tries to find out who the client machine is, and sends therefore an auth request to the client. But the firewall blocks this auth request. Normally the ftp connection should be established, although the auth request isn't answered. But it may take quite long. Best is to open your firewall for auth requests. The other possibility is to enter your client into the server's /etc/hosts, but in your case I think it may not be possible because of the masquerading, so the ftp requests from different clients all seem to come from the same IP address. Hmm... Simply try entering the IP address 192.168.5.1 in the server's /etc/hosts with some host name you
--- Togan Muftuoglu
a écrit : like. Maybe it works. Bye Uli -- Ulrich Roth IMPACT Business & Technology Consulting GmbH Im Mediapark 8 / KölnTurm D-50670 Koeln Phone +49-221-93 70 80-29 Fax +49-221-93 70 80-15 E-Mail: roth@impact.de
-----BEGIN PGP SIGNED MESSAGE----- Hi everyone!
You start an ftp request to your server (your web server I think).
The server is a machine located in the DMZ.
Before your server answers, it tries to find out who the client machine is, and sends therefore an auth request to the client.
Correct. The client in this case is a machine located on the internal network.
But the firewall blocks this auth request.
The reason for this is that there is no forward rule that would allow ident requests to be passed from the DMZ to the internal network. The firewall is configured to REJECT only ident requests that target the firewall itself, not ident requests which are forwarded between nets.
Normally the ftp connection should be established, although the auth request isn't answered. But it may take quite long. Best is to open your firewall for auth requests.
I disagree with that. Although ident requests are not dangerous by
default, may identd implementations for Windows PCs are poorly written
and suffer from buffer overruns. If you *really need* ident lookups
to your internal network, add "192.168.5.2,192.168.1.0/24,tcp,113" to
your FW_FORWARD.
Otherwise it is best to redirect these requests to the firewall where
they will be rejected. You can do this by adding
FW_REDIRECT="192.168.5.0/24,192.168.1.0/24,tcp,113,113"
to your config.
Regards, Andy
- --
Andreas J. Mueller email:
The connexion to my ftp service is ok, now.
But i can't see my file, when i use "ls" command the ftp service does not answer.
--- Andreas J Mueller
Hi everyone!
You start an ftp request to your server (your web server I think).
The server is a machine located in the DMZ.
Before your server answers, it tries to find out who the client machine is, and sends therefore an auth request to the client.
Correct. The client in this case is a machine located on the internal network.
But the firewall blocks this auth request.
The reason for this is that there is no forward rule that would allow ident requests to be passed from the DMZ to the internal network. The firewall is configured to REJECT only ident requests that target the firewall itself, not ident requests which are forwarded between nets.
Normally the ftp connection should be established, although the auth request isn't answered. But it may take quite long. Best is to open your firewall for auth requests.
I disagree with that. Although ident requests are not dangerous by default, may identd implementations for Windows PCs are poorly written and suffer from buffer overruns. If you *really need* ident lookups to your internal network, add "192.168.5.2,192.168.1.0/24,tcp,113" to your FW_FORWARD.
Otherwise it is best to redirect these requests to the firewall where they will be rejected. You can do this by adding FW_REDIRECT="192.168.5.0/24,192.168.1.0/24,tcp,113,113" to your config.
Regards, Andy
- -- Andreas J. Mueller email:
PGP RSA Public Key ID 0x3D41D941 FP: ED261973D51D3D20 C840B0542E69F602 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (MingW32) iQC9AwUBPdPLJvobN5o9QdlBAQG6EAVAuq6lfzEtnDHo5i5UkUE2YSrzYW17UnUQ HYZgOAmwb0kw5udU63RTIClywiBrmgq8UZqwRmDcLxQ8hAROj1sM7TPMIzXSdeqa 3pkEne89Flh7RGvBvrvPgD4+vVlgRoRbGAfzofl29e6c6s562cIyyeQw/31R+xrH U5/i0qT61KaGElm/kUTIPxarvS+m+7PVbBwMzkRhrVKVVyjlyMdtsf/q8CWUzoSq =pYam -----END PGP SIGNATURE-----
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
Hi !
The connexion to my ftp service is ok, now. But i can't see my file, when i use "ls" command the ftp service does not answer.
--> This means that only port 21 is working correctly. The "ls" command will be transmitted via port 21 but the listing itself will be transferred (like subsequent data transfers) via high ports. You have to allow them as well. HTH, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
My ftp service is accessible from internet but not from intern network. In fact for the internet network, the connexion runs but when i use "ls" command nothing takes place. Somebody has an idea ? ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
On Tuesday 19 November 2002 13:45, Frédéric Poulet wrote:
My ftp service is accessible from internet but not from intern network. In fact for the internet network, the connexion runs but when i use "ls" command nothing takes place.
Somebody has an idea ?
You have to use "passive FTP" when connecting to the server through a firewall. Otherwise the server will try to open other high filtered ports to the client for data transfers. Most client programs support passive mode. -- Ch
participants (5)
-
Andreas J Mueller
-
Armin Schöch
-
Christian Andersson
-
Frédéric Poulet
-
Ulrich Roth