Re: iptables not so stateful
From: John Summerfield (debian_at_ComputerDatasafe.com.au)
Date: 08/14/04
- Previous message: Andreas Janssen: "Re: All these open ports"
- In reply to: Eric Gaumer: "Re: iptables not so stateful"
- Next in thread: Eric Gaumer: "Re: iptables not so stateful"
- Reply: Eric Gaumer: "Re: iptables not so stateful"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 14 Aug 2004 16:19:09 +0800 To: debian-user@lists.debian.org
Eric Gaumer wrote:
>On Fri, 2004-08-13 at 09:20, Clement wrote:
>
>
>>And I cannot do ftp. All the data mode traffic of FTP are blocked.
>>Apparently the ESTABLISHED,RELATED specification is not followed. The
>>module ipt_state is there and executing the above does not show any
>>error message. I have tried "modprobe ipt_state" before the above to no
>>success. Any idea?
>>
>>
>>
>You have to use passive FTP for connection tracking to work. If you use
>active then the connection tracking module wont be able to follow the
>connection.
>
>
My firewall is a Powermac running Woody plus shorewall.
summer@Dolphin:~$ ftp ftp.wa.au.debian.org
Connected to ftp.wa.au.debian.org.
220 ProFTPD 1.2.9 Server (Informed Technology FTP Server)
[poledra.it.net.au]
<snip exceess commentary>
230-
230 Anonymous access granted, restrictions apply.
bin
200 Type set to I
prompt
Interactive mode off.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pas
Passive mode on.
ftp> pas
Passive mode off.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for file list
lrwxrwxrwx 1 ftpadm staff 20 Dec 24 2003 debian ->
mirrors/linux/debian
lrwxrwxrwx 1 ftpadm staff 27 Dec 24 2003 debian-non-US ->
mirrors/linux/debian-non-US
lrwxrwxrwx 1 ftpadm staff 24 Dec 24 2003 debian-www ->
mirrors/linux/debian-www
drwx------ 2 root system 16384 Dec 24 2003 lost+found
-rw-r--r-- 1 ftpadm staff 56004951 Aug 14 02:12 ls-lR
-rw-r--r-- 1 ftpadm staff 7040958 Aug 14 02:12 ls-lR.gz
-rw-r--r-- 1 ftpadm staff 467421 Aug 14 02:14 ls-lR.patch.gz
-rw-r--r-- 1 ftpadm staff 22 Aug 14 02:14 ls-lR.times
drwxr-xr-x 12 ftpadm staff 4096 May 24 05:00 mirrors
drwxr-xr-x 3 ftpadm staff 4096 Feb 27 05:47 pub
-rw-r--r-- 1 ftpadm staff 16 May 5 2003 timezone
drwxr-xr-x 4 root system 4096 Jul 20 08:04 tmp
-rw-r--r-- 1 root system 717 Dec 25 2003 welcome.msg
226 Transfer complete.
ftp>
As you can see, I do not need to use passive ftp. I've always thought
that's what connection tracking's for.
Here are my shorewall rules:
fw:/etc/shorewall# grep -v ^# rules
ACCEPT coco2 loc all
ACCEPT loc coco2 all
ACCEPT coco2 $FW all
ACCEPT $FW coco2 all
ACCEPT $FW net udp 5000,5001
ACCEPT loc net udp 5000,5001
ACCEPT $FW net:203.34.16.107 4
ACCEPT net:203.34.16.107 $FW 4
ACCEPT loc $FW tcp ssh,www,443,smtp,110
ACCEPT net $FW tcp ssh,www,443,smtp
ACCEPT $FW net tcp ssh
ACCEPT loc net tcp 110
ACCEPT loc $FW tcp 110
ACCEPT $FW net tcp www,ftp,smtp,time,110
ACCEPT $FW loc tcp smtp
ACCEPT $FW net udp ntp
ACCEPT $FW loc tcp 37
ACCEPT $FW loc udp syslog
-- Cheers John -- spambait 1aaaaaaa@computerdatasafe.com.au Z1aaaaaaa@computerdatasafe.com.au Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/ -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
- Previous message: Andreas Janssen: "Re: All these open ports"
- In reply to: Eric Gaumer: "Re: iptables not so stateful"
- Next in thread: Eric Gaumer: "Re: iptables not so stateful"
- Reply: Eric Gaumer: "Re: iptables not so stateful"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
