On Thu, 2005-12-08 at 15:41 +0100, wavesurf@planet.nl wrote:
Op donderdag 8 december 2005 14:47, schreef Chadley Wilson:
On Thu, 2005-12-08 at 13:48 +0100, wavesurf@planet.nl wrote:
Dec 8 13:44:46 linux kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:0c:6e:8c:2b:ae:00:04:ed:10:08:a5:08:00 SRC=123.123.123.123. DST=192.168.1.102 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=3280 DF PROTO=TCP SPT=10175 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204055001010402)
Look here, I am now also a bit confused, it clearly logged that port 21 is in the SFW2-INext-ACC-TCP filter. The fact that it prompts you for a logging suggests that the firewall is happy and that the port opened (21) is available.
Why when you disable the firewall it works would suggest that you are missing a rule for related and established packets.
Do an iptables-save > filename and the cat filename to see if the is a related and established rule for the SFW2-INext-ACC-TCP filter.
If not you will need to edit the firewall with the sysconfig edit tool provided in yast.
Look for the relevant option and see whether that helps.
Otherwise : run this command (below) manually and see if it works, this should just prove it is the firewall, other wise please mail me off list with your iptables-save file. Let me check it for and see if I can spot the mistake.
iptables -A SFW2-INext-ACC-TCP -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Chadley
Chadley,
This is difficult stuff for me :)
here the files and the thinks i did.
linux:~ # iptables -A SFW2-INext-ACC-TCP -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT iptables: No chain/target/match by that name linux:~ #
I added this to the firewall and now it works try for me. edit /etc/sysconfig/SuSEfirewall2 FW_SERVICES_ACCEPT_EXT="0/0,tcp,21 0/0,tcp,22" FW_TRUSTED_NETS="172.100.0.0/16" obviously replace with your network range.. Chadley