How to get FTP through a firewall [ipchains]?
Ken Schweigert
yellowdog-general@lists.terrasoftsolutions.com
Thu May 16 15:40:01 2002
Alex,
Let's give this a shot ...
[me, slowly waving one hand, using the Jedi Mind Trick]
[ me ] : You do not want to use active ftp.
[Alex] : I don't want to use active ftp.
[ me ] : You want to use passive ftp.
[Alex] : I want to use passive ftp.
A couple of helpful docs to read:
http://slacksite.com/other/ftp.html
http://www.faqs.org/rfcs/rfc1579.html
Sorry about that, just got back from watching Episode II. :)
--
-Ken Schweigert, Padawan Network Administrator
Byte Productions, LLC
http://www.byte-productions.com
On Thu, May 16, 2002 at 07:48:36PM +0200, Alexander Holst wrote:
> Hi YDLers,
>
> How does one get ftp services through an ipchains fire wall? Somehow, I
> am missing something here:
>
> ipchains -L
> Chain input (policy DENY):
> target prot opt source destination ports
> ACCEPT all ------ anywhere anywhere n/a # my
> lo0
> ACCEPT all ------ anywhere anywhere n/a # my
> eth1, trusted, eth0 is world
> ACCEPT icmp ------ anywhere anywhere !5 -> any
> ...
> ACCEPT tcp ------ anywhere My_WebServer any -> ftp #
> these work from outside
> ACCEPT tcp ------ anywhere My_WebServer any -> ftp-data #
> these work from outside
> ACCEPT tcp -y---- anywhere My_WebServer ftp-data -> any #
> these work from outside
> ACCEPT tcp -y---- anywhere My_WebServer ftp -> any #
> these work from outside
> ACCEPT tcp ------ anywhere My_WebServer any -> http #
> these work from outside
> ...
> ACCEPT tcp ------ anywhere My_NetRange/24 ftp -> any # to
> get ftp from in- to outside
> ACCEPT tcp ------ anywhere My_NetRange/24 ftp-data -> any # to
> get ftp from in- to outside
> ...
> ACCEPT tcp !y---- anywhere My_NetRange/24 any -> any # this
> bothers me, I had to put it in
> # to
> get ftp to work correctly!
> ...
> REJECT tcp -y---- anywhere anywhere any -> any
> REJECT udp ------ anywhere anywhere any -> any
> Chain forward (policy ACCEPT):
> Chain output (policy ACCEPT):
>
> I know, this is not a very pretty setup as I am doing everything through
> the input chain, but I had to do a quick and dirty setup, as one of my
> boxes was cracked through an ssh exploit.
>
> now my question: Is it safe to put the line in question,
> ACCEPT tcp !y---- anywhere My_NetRange/24 any -> any
> in there? Or is there a more elegant way? I do no masquerading, all are
> real IP#s, inside as well as outside.
>
> Without the line, I was only able to connect, but couldn't get any
> directory listings nor was able to establish any down- or upload. How
> could I replace the line so just ftp works from clients inside to
> servers outside without opening another hole?
>
> Any help appreciated.
> Regards,
> Alex
>
> Alexander Holst
> Pforzheim University of Applied Sciences
> <holst@fh-pforzheim.de>
> ph: +49 [0]7231 28-6837
> fx: +49 [0]7231 28-6040
>
> _______________________________________________
> yellowdog-general mailing list
> yellowdog-general@lists.terrasoftsolutions.com
> http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general
>