Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
FTP -Server in DMZ
  • From: joachim.winter@xxxxxxxxxxxxxx
  • Date: Wed, 4 Sep 2002 14:42:15 +0200
  • Message-id: <OFEED446B2.03593F3F-ONC1256C2A.00450089-C1256C2A.0045C9A3@xxxxxxxxxxxxxx>
Hi,

we would install a PROFTPD Server in a DMZ behind our Firewall.
We have installed a WEB-Server in the DMZ and a Mail-Server in the internal
Network. Both of them works very well.
If we access the FTP-Server via WEB we see the login message and the
ftp-prompt. A pwd and cd runs perfect.
If we do a "dir" or "ls" we see the line "220 Port Command successfull" and
nothing goes on. The same comes
from internal net.

Which port have to be opened, that we can access the ftp-Server?

config File

FW_DEV_EXT="eth1"
FW_DEV_INT="eth0"
FW_DEV_DMZ="eth2"

FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"

FW_MASQ_NETS="192.168.1.0/24"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="yes"

FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""

# How is access allowed to high (unpriviliged [above 1023]) ports?
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"

# Are you running some of the services below?
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"

FW_FORWARD="0/0,217.69.228.240/27,tcp,80
0/0,217.69.228.240/27,tcp,4430/0,217.69.228.240/27,tcp,7070 \
217.69.228.241,192.168.1.105,tcp,1500 0/0,217.69.228.240/27,tcp,21
0/0,217.69.228.240/27,tcp,22"

# Mail-Server
FW_FORWARD_MASQ="0/0,192.168.1.109,tcp,25"

FW_REDIRECT=""

FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-FW"

FW_KERNEL_SECURITY="yes"

FW_STOP_KEEP_ROUTING_STATE="no"

FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="yes"
FW_ALLOW_PING_EXT="yes"

FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"

#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

Thanks
Joachim Winter


< Previous Next >
This Thread
  • No further messages