Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
RE: [suse-security] SuSEfirewall2 and Active ftp
  • From: "Knut Erik Hauslo" <KNUTH@xxxxxxxxxxxx>
  • Date: Wed, 16 Jul 2003 17:07:27 +0200
  • Message-id: <876E796441495649AB4AE82092A0784A3D8D4F@xxxxxxxxxxxxxx>
I got this working ONLY by masquerading and only from one direction (internal lan) to the other (external lan). The other way around will most probably only work if you have a FTP server in a DMZ.

This is my config (with masquerading)
FW_DEV_EXT="eth1"
FW_DEV_INT="eth0"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21 172.19.0.0/16,0/0,tcp,80"
FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"

I am my self using a SuSE firewall between two lans. Another solution might be to use SuSE firewall in combination with Squid or so, but I am working on this issue my self currently.

Cheers


-----Original Message-----
From: André Sänger [mailto:Andre.Saenger@xxxxxx]
Sent: Wednesday, July 16, 2003 4:46 PM
To: suse-security@xxxxxxxx
Subject: [suse-security] SuSEfirewall2 and Active ftp


Hallo suse-security,

I´m still not sure how to configure SuSEfirewall2 to get active ftp working.

The Server is between two LANs and doing no masquerading.


from the config:


FW_FORWARD="[...] \
myip,ftpserverip,tcp,21 \
myip,ftpserverip,tcp,20"

FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"


Now if I try to establish a connection I get a connect, but when trying to list the ftp-dir the ftp client hangs.

The firewall-log says:

Jul 16 16:13:51 [firewallmachine] kernel: SuSE-FW-DROP-DEFAULT
IN=eth1 OUT=eth0 SRC=[ftpserverip] DST=[myip] LEN=60 TOS=0x08
PREC=0x00 TTL=62 ID=46457 DF PROTO=TCP SPT=20 DPT=1137 WINDOW=5840
RES=0x00 SYN URGP=0 OPT (020405B40402080A16229CFF0000000001030300)

What else is needed to get active ftp working through SuSEfirewall2?


If I insert a rule like

$IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state
ESTABLISHED,RELATED -d $quelle -s $ziel -p tcp --sport 20

in SuSEfirewall2-custom active ftp works again, but I don´t think that´s the proper way? There has to be something in /etc/sysconfig/SuSEfirewall2 I´m missing.

The Firewall machine is running SuSE8.2Professional, Kernel 2.4.20-4GB-athlon


--
Mit freundlichen Grüßen,
André Sänger mailto:Andre.Saenger@xxxxxx



--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx Security-related bug reports go to security@xxxxxxx, not here


< Previous Next >
Follow Ups