Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
Re[4]: [suse-security] SuSEfirewall2 and Active ftp
  • From: André Sänger <Andre.Saenger@xxxxxx>
  • Date: Thu, 17 Jul 2003 11:34:07 +0200
  • Message-id: <7467195311.20030717113407@xxxxxx>
Hello Knut,

ok, but the data transfer from the ftp-server does originate from port
20. So why can´t I just tell the firewall to accept packets from the
ftp-server which originate at port 20 and are targeted to my client?

After reading a bit through the SuSEfirewall2 script I found that such
a rule is indeed inserted:

from #SuSEfirwall2 status
assuming the client has 10.1.1.1 and the ftp-server 192.168.0.1):

0 0 ACCEPT tcp -- * * 10.1.1.1
192.168.0.1 state NEW,RELATED,ESTABLISHED tcp dpt:20
0 0 ACCEPT tcp -- * * 192.168.0.1
10.1.1.1 state RELATED,ESTABLISHED tcp spt:20 flags:!0x16/0x02

Now if I insert a similar rule just without the flags:... part:

0 0 ACCEPT tcp -- * * 192.168.0.1
10.1.1.1 state RELATED,ESTABLISHED tcp spt:20

Then it works. What is this flags... thing for?


--
Best regards,
André mailto:Andre.Saenger@xxxxxx



< Previous Next >
References