Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] cant do ftp through squid (susefirewall2 problem with high ports??)
On Sat, 07 Sep 2002, Andreas Bittner wrote:

> All right,
> hello again,
> i have found chapter 11 in the /etc/sysconfig/SuSEfirewall2 config file.
>
> # 11.)
> # How is access allowed to high (unpriviliged [above 1023]) ports?
> #
> # You may either allow everyone from anyport access to your highports ("yes"),
> # disallow anyone ("no"), anyone who comes from a defined port (portnumber or
> # known portname) [note that this is easy to circumvent!], or just your
> # defined nameservers ("DNS").
> # Note that you can't use rpc requests (e.g. rpcinfo, showmount) as root
> # from a firewall using this script (well, you can if you include range
> # 600:1023 in FW_SERVICES_EXT_UDP ...).
> # Please note that with v2.1 "yes" is not mandatory for active FTP from
> # the firewall anymore.
> #
> # Choice: "yes", "no", "DNS", portnumber or known portname, defaults to "no"
> # if not set
> #
> # Common: "ftp-data", better is "yes" to be sure that everything else works :-(
> #FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
> FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"
> # Common: "DNS" or "domain ntp", better is "yes" to be sure ...
> FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
>
>
> and have added the
> FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"
> line and now it works all right...
>

> i wonder why the behaviour of a squid ftp connection is different
> from a direct ftp client connection on the squid/suse8 box
> itself... i guess i am not into the details of the related
> connections stuff...

My guess is that your squid proxy ftp's are 'active mode'. Passive
Mode data connections are outgoing (from the client point of view) but
the older Active Mode data connections are incoming.

> ----- Original Message -----

> i dont know how to make susefirewall2 work on a suse8 box running
> squid when trying to ftp with the squid proxy.

> these are my logs for example:
>
> Sep 7 23:17:58 box kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=212.123.225.148 DST=XXX.X.XXX.XX LEN=48 TOS=0x08 PREC=0x00 TTL=113 ID=55284 DF PROTO=TCP SPT=20 DPT=10269 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
> Sep 7 23:18:01 box kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=212.123.225.148 DST=XXX.X.XXX.XX LEN=48 TOS=0x08 PREC=0x00 TTL=113 ID=56412 DF PROTO=TCP SPT=20 DPT=10269 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
> Sep 7 23:18:08 box kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=212.123.225.148 DST=XXX.X.XXX.XX LEN=48 TOS=0x08 PREC=0x00 TTL=113 ID=58314 DF PROTO=TCP SPT=20 DPT=10269 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
>

> seems that my connection from the susefirewall2/squid box to the ftp
> server outside (here ftp.asuscom.de) gets replied to a high port
> 10260 on my box for the dataconnection (port20) ... what is the
> proper settings for susefirewall2 to accept this connection (its
> actually a related connection isnt it?) why doesnt
> susefirewall/conntrack_ftp or something catch/accept this when the
> squid is trying to access ftp servers on the inet?

As you rightly deduced, SuSEfirewall2 was dropping the incoming 'active
mode' ftp-data, so that squid never saw the packets.

I have just been reading the SuSEfirewall2 docs to see if it uses the
ip_conntrack_ftp module to drop/reject unrelated data connections --
I'm sorry I can't find the answer. A little bit of testing in a
sandbox network will solve it.

But I am 90% sure that the FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"
option bypasses RELATED connection tracking (by accepting NEW) and so opens up
a fairly big hole through the firewall.

> i can ftp directly without the squid from the inside lan without any
> problems, and an ftp client directly on the suse8/squid box can also
> ftp without problems. only the squid when it wants to connect to ftp
> sites comes up with these errors and wont connect....

Did you log the successful packets from these connections? (You can
temporarily change the logging options in SuSEfirewall2.) My guess is
that you will find that these test connections were 'passive' mode,
which is default now on many ftp clients.

> what am i doing wrong? does my squid needs reconfiguring?
>

I don't use squid. If there is a safe squid option for passive ftp proxy,
then I would suggest you enable it and test it. Then you can disable
active and reverse the change you made to section 11 in SuSEfirewall2.

dproc


< Previous Next >