ftp highport security in susefirewall2
Hi I have to open the high ports on my ftp server and am thinking of: FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" But the SuSE script seems to suggest "yes" rather than "ftp-data": <snip> # Common: "ftp-data", better is "yes" to be sure that everything else works :-( FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" </snip> Any advice? Thanks, Steve.
On Thu, 3 Oct 2002 19:07:27 +0200
steve
I have to open the high ports on my ftp server and am thinking of: FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"
But the SuSE script seems to suggest "yes" rather than "ftp-data":
<snip> # Common: "ftp-data", better is "yes" to be sure that everything else works :-( FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" </snip>
ftp-data works fine for me. -- use Perl; #powerful programmable prestidigitation
On Thursday 03 October 2002 19:59, zentara wrote:
On Thu, 3 Oct 2002 19:07:27 +0200
steve
wrote: I have to open the high ports on my ftp server and am thinking of: FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"
But the SuSE script seems to suggest "yes" rather than "ftp-data":
<snip> # Common: "ftp-data", better is "yes" to be sure that everything else works
:-(
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" </snip>
ftp-data works fine for me.
Doesn't for me. I have to put the same line in the *client's* firewall and turn off passive to be able to connect. Does: FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" also have to be set to "ftp-data"? Thanks for your patience. Steve.
On Friday 04 October 2002 15.18, steve wrote:
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" </snip>
ftp-data works fine for me.
Doesn't for me. I have to put the same line in the *client's* firewall and turn off passive to be able to connect. Does: FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" also have to be set to "ftp-data"? Thanks for your patience. Steve.
You shouldn't have to touch the client side firewall at all. That's the whole point of passive mode. It should be enough to set FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" on the server (and restart the firewall, naturally :). If that doesn't work there must be some other problem. You could try setting FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" instead and see if that works. //Anders -- 'Deserves [death]. I daresay he does. Many that live deserve death. And some that die deserve life. Can you give it to them? Then do not be too eager to deal out death in judgement. For even the very wise cannot see all ends.' --Tolkien, The Lord of the Rings
On Thursday 03 October 2002 19:07, steve wrote:
Hi
I have to open the high ports on my ftp server and am thinking of: FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
Still no passive ftp. What else has to be set to allow passive transfers? What about: FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" as well? The client I'm testing with has squid running and allows active transfers when I set its firewall to accept highports. Any ideas anyone? Thanks, Steve.
* steve;
On Thursday 03 October 2002 19:07, steve wrote:
Hi
I have to open the high ports on my ftp server and am thinking of: FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
Still no passive ftp. What else has to be set to allow passive transfers? What about: FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" as well?
ftp is a TCP activity has nothing todo with UDP Have you checked the draft SuSEFirewall howto at http://dinamizm.ath.cx/articles/firewall2.pdf -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
On Tuesday 08 October 2002 16:35, steve wrote:
On Thursday 03 October 2002 19:07, steve wrote:
Hi
I have to open the high ports on my ftp server and am thinking of: FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
Still no passive ftp. What else has to be set to allow passive transfers? What about: FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" as well?
The client I'm testing with has squid running and allows active transfers when I set its firewall to accept highports. Any ideas anyone? Thanks, Steve.
Maybe I have to forward the NAT static mapping on my adsl router? If so, what ports do I forward for passive ftp? Thanks, Steve.
participants (4)
-
Anders Johansson
-
steve
-
Togan Muftuoglu
-
zentara