Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] cant do ftp through squid (susefirewall2 problem with high ports??)
All right,
hello again,
i have found chapter 11 in the /etc/sysconfig/SuSEfirewall2 config file.

# 11.)
# How is access allowed to high (unpriviliged [above 1023]) ports?
#
# You may either allow everyone from anyport access to your highports ("yes"),
# disallow anyone ("no"), anyone who comes from a defined port (portnumber or
# known portname) [note that this is easy to circumvent!], or just your
# defined nameservers ("DNS").
# Note that you can't use rpc requests (e.g. rpcinfo, showmount) as root
# from a firewall using this script (well, you can if you include range
# 600:1023 in FW_SERVICES_EXT_UDP ...).
# Please note that with v2.1 "yes" is not mandatory for active FTP from
# the firewall anymore.
#
# Choice: "yes", "no", "DNS", portnumber or known portname, defaults to "no"
# if not set
#
# Common: "ftp-data", better is "yes" to be sure that everything else works :-(
#FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"
# Common: "DNS" or "domain ntp", better is "yes" to be sure ...
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"


and have added the
FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"
line and now it works all right...

i wonder why the behaviour of a squid ftp connection is different from a direct ftp client connection on the squid/suse8 box itself... i guess i am not into the details of the related connections stuff...

Thanks anyways,
Andy


----- Original Message -----
From: "Andreas Bittner" <bittner@xxxxxxxxxxxxxxxxxxxx>
To: <suse-security@xxxxxxxx>
Sent: Saturday, September 07, 2002 11:24 PM
Subject: [suse-security] cant do ftp through squid (susefirewall2 problem with high ports??)


Hello all,

i dont know how to make susefirewall2 work on a suse8 box running squid when trying to ftp with the squid proxy.

these are my logs for example:

Sep 7 23:17:58 box kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=212.123.225.148 DST=XXX.X.XXX.XX LEN=48 TOS=0x08 PREC=0x00 TTL=113 ID=55284 DF PROTO=TCP SPT=20 DPT=10269 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Sep 7 23:18:01 box kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=212.123.225.148 DST=XXX.X.XXX.XX LEN=48 TOS=0x08 PREC=0x00 TTL=113 ID=56412 DF PROTO=TCP SPT=20 DPT=10269 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Sep 7 23:18:08 box kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=212.123.225.148 DST=XXX.X.XXX.XX LEN=48 TOS=0x08 PREC=0x00 TTL=113 ID=58314 DF PROTO=TCP SPT=20 DPT=10269 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)

seems that my connection from the susefirewall2/squid box to the ftp server outside (here ftp.asuscom.de) gets replied to a high port 10260 on my box for the dataconnection (port20) ... what is the proper settings for susefirewall2 to accept this connection (its actually a related connection isnt it?) why doesnt susefirewall/conntrack_ftp or something catch/accept this when the squid is trying to access ftp servers on the inet?

i can ftp directly without the squid from the inside lan without any problems, and an ftp client directly on the suse8/squid box can also ftp without problems. only the squid when it wants to connect to ftp sites comes up with these errors and wont connect....

what am i doing wrong? does my squid needs reconfiguring?

thanks for any help.
cheers,
Andy




--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here





< Previous Next >
Follow Ups
References