How to get FTP through a firewall [ipchains]?

Ken Schweigert yellowdog-general@lists.terrasoftsolutions.com
Thu May 16 15:40:01 2002 

Alex,
Let's give this a shot ...

[me, slowly waving one hand, using the Jedi Mind Trick]
  [ me ] : You do not want to use active ftp.
  [Alex] : I don't want to use active ftp.
  [ me ] : You want to use passive ftp.
  [Alex] : I want to use passive ftp.

A couple of helpful docs to read:
  http://slacksite.com/other/ftp.html
  http://www.faqs.org/rfcs/rfc1579.html

Sorry about that, just got back from watching Episode II.  :)

-- 
-Ken Schweigert, Padawan Network Administrator
Byte Productions, LLC
http://www.byte-productions.com



On Thu, May 16, 2002 at 07:48:36PM +0200, Alexander Holst wrote:
> Hi YDLers,
> 
> How does one get ftp services through an ipchains fire wall? Somehow, I 
> am missing something here:
> 
> ipchains -L
> Chain input (policy DENY):
> target  prot opt     source    destination     ports
> ACCEPT  all  ------  anywhere  anywhere        n/a                # my 
> lo0
> ACCEPT  all  ------  anywhere  anywhere        n/a                # my 
> eth1, trusted, eth0 is world
> ACCEPT  icmp ------  anywhere  anywhere        !5 ->   any
> ...
> ACCEPT  tcp  ------  anywhere  My_WebServer    any ->   ftp       # 
> these work from outside
> ACCEPT  tcp  ------  anywhere  My_WebServer    any ->   ftp-data  # 
> these work from outside
> ACCEPT  tcp  -y----  anywhere  My_WebServer    ftp-data ->   any  # 
> these work from outside
> ACCEPT  tcp  -y----  anywhere  My_WebServer    ftp ->   any       # 
> these work from outside
> ACCEPT  tcp  ------  anywhere  My_WebServer    any ->   http      # 
> these work from outside
> ...
> ACCEPT  tcp  ------  anywhere  My_NetRange/24  ftp ->   any       # to 
> get ftp from in- to outside
> ACCEPT  tcp  ------  anywhere  My_NetRange/24  ftp-data ->   any  # to 
> get ftp from in- to outside
> ...
> ACCEPT  tcp  !y----  anywhere  My_NetRange/24  any ->   any       # this 
> bothers me, I had to put it in
>                                                                    # to 
> get ftp to work correctly!
> ...
> REJECT  tcp  -y----  anywhere  anywhere        any ->   any
> REJECT  udp  ------  anywhere  anywhere        any ->   any
> Chain forward (policy ACCEPT):
> Chain output (policy ACCEPT):
> 
> I know, this is not a very pretty setup as I am doing everything through 
> the input chain, but I had to do a quick and dirty setup, as one of my 
> boxes was cracked through an ssh exploit.
> 
> now my question: Is it safe to put the line in question,
> ACCEPT  tcp  !y----  anywhere  My_NetRange/24  any ->   any
> in there? Or is there a more elegant way? I do no masquerading, all are 
> real IP#s, inside as well as outside.
> 
> Without the line, I was only able to connect, but couldn't get any 
> directory listings nor was able to establish any down- or upload. How 
> could I replace the line so just ftp works from clients inside to 
> servers outside without opening another hole?
> 
> Any help appreciated.
> Regards,
> Alex
> 
> Alexander Holst
> Pforzheim University of Applied Sciences
> <holst@fh-pforzheim.de>
> ph: +49 [0]7231 28-6837
> fx: +49 [0]7231 28-6040
> 
> _______________________________________________
> yellowdog-general mailing list
> yellowdog-general@lists.terrasoftsolutions.com
> http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general
>