AW: [suse-security] SuseFirewall2 DMZ

newer
AW: [suse-security] SuseFirewall2...

Ulrich Roth

14 Nov 2002 14 Nov '02

14:56

Proftd running becouse i have the log message of proftpd

...
* FrÃ©dÃ©ric Poulet; on 14 Nov, 2002 wrote:

...
when i use ftp service from firewall i have logs: Jan 23 12:40:11 linux kernel: SuSE-FW-REJECT IN=eth2 OUT= MAC=00:40:f4:3d:89:4b:00:e0:18:a6:7d:17:08:00 SRC=192.168.5.2 DST=192.168.5.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55868 DF PROTO=TCP SPT=32983 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A0430C8600000000001030300) I think the following happens: You start an ftp request to your server (your web server I think). Before your server answers, it tries to find out who the client machine is, and sends therefore an auth request to the client. But the firewall blocks this auth request. Normally the ftp connection should be established, although the auth request isn't answered. But it may take quite long. Best is to open your firewall for auth requests. The other possibility is to enter your client into the server's /etc/hosts, but in your case I think it may not be possible because of the masquerading, so the ftp requests from different clients all seem to come from the same IP address. Hmm... Simply try entering the IP address 192.168.5.1 in the server's /etc/hosts with some host name you

--- Togan Muftuoglu a écrit : like. Maybe it works. Bye Uli -- Ulrich Roth IMPACT Business & Technology Consulting GmbH Im Mediapark 8 / KölnTurm D-50670 Koeln Phone +49-221-93 70 80-29 Fax +49-221-93 70 80-15 E-Mail: roth@impact.de

Show replies by date

Andreas J Mueller

14 Nov 14 Nov

16:11

New subject: [suse-security] SuseFirewall2 DMZ

-----BEGIN PGP SIGNED MESSAGE----- Hi everyone!

...

You start an ftp request to your server (your web server I think).

The server is a machine located in the DMZ.

...

Before your server answers, it tries to find out who the client machine is, and sends therefore an auth request to the client.

Correct. The client in this case is a machine located on the internal network.

...

But the firewall blocks this auth request.

The reason for this is that there is no forward rule that would allow ident requests to be passed from the DMZ to the internal network. The firewall is configured to REJECT only ident requests that target the firewall itself, not ident requests which are forwarded between nets.

...

Normally the ftp connection should be established, although the auth request isn't answered. But it may take quite long. Best is to open your firewall for auth requests.

I disagree with that. Although ident requests are not dangerous by default, may identd implementations for Windows PCs are poorly written and suffer from buffer overruns. If you *really need* ident lookups to your internal network, add "192.168.5.2,192.168.1.0/24,tcp,113" to your FW_FORWARD. Otherwise it is best to redirect these requests to the firewall where they will be rejected. You can do this by adding FW_REDIRECT="192.168.5.0/24,192.168.1.0/24,tcp,113,113" to your config. Regards, Andy - -- Andreas J. Mueller email: PGP RSA Public Key ID 0x3D41D941 FP: ED261973D51D3D20 C840B0542E69F602 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (MingW32) iQC9AwUBPdPLJvobN5o9QdlBAQG6EAVAuq6lfzEtnDHo5i5UkUE2YSrzYW17UnUQ HYZgOAmwb0kw5udU63RTIClywiBrmgq8UZqwRmDcLxQ8hAROj1sM7TPMIzXSdeqa 3pkEne89Flh7RGvBvrvPgD4+vVlgRoRbGAfzofl29e6c6s562cIyyeQw/31R+xrH U5/i0qT61KaGElm/kUTIPxarvS+m+7PVbBwMzkRhrVKVVyjlyMdtsf/q8CWUzoSq =pYam -----END PGP SIGNATURE-----

Frédéric Poulet

19 Nov 19 Nov

09:36

New subject: [suse-security] SuseFirewall2 DMZ

The connexion to my ftp service is ok, now. But i can't see my file, when i use "ls" command the ftp service does not answer. --- Andreas J Mueller a écrit : > -----BEGIN PGP SIGNED MESSAGE-----

...

Hi everyone!

...
You start an ftp request to your server (your web server I think).

The server is a machine located in the DMZ.

...
Before your server answers, it tries to find out who the client machine is, and sends therefore an auth request to the client.

Correct. The client in this case is a machine located on the internal network.

...
But the firewall blocks this auth request.

The reason for this is that there is no forward rule that would allow ident requests to be passed from the DMZ to the internal network. The firewall is configured to REJECT only ident requests that target the firewall itself, not ident requests which are forwarded between nets.

...
Normally the ftp connection should be established, although the auth request isn't answered. But it may take quite long. Best is to open your firewall for auth requests.

I disagree with that. Although ident requests are not dangerous by default, may identd implementations for Windows PCs are poorly written and suffer from buffer overruns. If you *really need* ident lookups to your internal network, add "192.168.5.2,192.168.1.0/24,tcp,113" to your FW_FORWARD.

Otherwise it is best to redirect these requests to the firewall where they will be rejected. You can do this by adding FW_REDIRECT="192.168.5.0/24,192.168.1.0/24,tcp,113,113" to your config.

Regards, Andy

- -- Andreas J. Mueller email: PGP RSA Public Key ID 0x3D41D941 FP: ED261973D51D3D20 C840B0542E69F602 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (MingW32)

iQC9AwUBPdPLJvobN5o9QdlBAQG6EAVAuq6lfzEtnDHo5i5UkUE2YSrzYW17UnUQ HYZgOAmwb0kw5udU63RTIClywiBrmgq8UZqwRmDcLxQ8hAROj1sM7TPMIzXSdeqa 3pkEne89Flh7RGvBvrvPgD4+vVlgRoRbGAfzofl29e6c6s562cIyyeQw/31R+xrH U5/i0qT61KaGElm/kUTIPxarvS+m+7PVbBwMzkRhrVKVVyjlyMdtsf/q8CWUzoSq =pYam -----END PGP SIGNATURE-----

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com

Armin Schöch

10:06

New subject: [suse-security] SuseFirewall2 DMZ

Hi !

...

The connexion to my ftp service is ok, now. But i can't see my file, when i use "ls" command the ftp service does not answer.

--> This means that only port 21 is working correctly. The "ls" command will be transmitted via port 21 but the listing itself will be transferred (like subsequent data transfers) via high ports. You have to allow them as well. HTH, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50

Frédéric Poulet

12:45

New subject: SuseFirewall2 DMZ

My ftp service is accessible from internet but not from intern network. In fact for the internet network, the connexion runs but when i use "ls" command nothing takes place. Somebody has an idea ? ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com

Christian Andersson

13:02

New subject: [suse-security] SuseFirewall2 DMZ

On Tuesday 19 November 2002 13:45, Frédéric Poulet wrote:

...

My ftp service is accessible from internet but not from intern network. In fact for the internet network, the connexion runs but when i use "ls" command nothing takes place.

Somebody has an idea ?

You have to use "passive FTP" when connecting to the server through a firewall. Otherwise the server will try to open other high filtered ports to the client for data transfers. Most client programs support passive mode. -- Ch

7836

Age (days ago)

7841

Last active (days ago)

List overview

Download

5 comments

5 participants

participants (5)

Andreas J Mueller
Armin Schöch
Christian Andersson
Frédéric Poulet
Ulrich Roth