Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] ftp through ipchains not working


On Thu, Aug 02, 2001 at 10:33:53PM +1000, chesty wrote:
> Quick fix is to use passive mode to transfer the files.
> ie type 'pas' before you do an ls or dl files.

thanks, that works for now (without having to remove the firewall
rules which I didn't really want to do!)
 
> I think the problem is you need to allow tcp --source-port 20
> to connect to your firewall. see if this works for you:
> $IPCHAINS -A input --interface ppp+ --protocol tcp --source-port 20 --destination-port 1024: -j ACCEPT --log

I haven't tried this yet - I'm ftp'ing down something so don't want
to stuff it up yet!  but I don't understand what it's for...
why port 1024 for example?

I beefed up the logging to log all rejected packets, so now attempting
a normal ftp outwards gives this: (198.142.51.107 is me)

Aug  4 16:54:19 spiral kernel: Packet log: input ACCEPT ppp0 PROTO=6 203.16.234.19:21 198.142.51.107:3093 L=40 S=0x00 I=17861 F=0x4000 T=51 (#3)
Aug  4 16:54:22 spiral kernel: Packet log: input DENY ppp0 PROTO=6 203.16.234.19:20 198.142.51.107:3094 L=44 S=0x00 I=23584 F=0x4000 T=51 SYN (#14)
Aug  4 16:54:28 spiral kernel: Packet log: input DENY ppp0 PROTO=6 203.16.234.19:20 198.142.51.107:3094 L=44 S=0x00 I=33509 F=0x4000 T=51 SYN (#14)
Aug  4 16:54:40 spiral kernel: Packet log: input DENY ppp0 PROTO=6 203.16.234.19:20 198.142.51.107:3094 L=44 S=0x00 I=54413 F=0x4000 T=51 SYN (#14)

and so on.  I've since changed deny to reject but same result of course.
so incoming port 21 is ok - cos it's a reply to my outgoing ftp I
guess, but the incoming port 20 (ftp-data) is not ok.
But my rule:
$IPCHAINS -A input --interface ppp+ --protocol tcp --destination-port 20:21 -j ACCEPT --log
should allow it???
(I combined the 2 ports into the one command - it was the same result
when it was 2 separate commands too)

And I thought I was getting the hang of ipchains too...

Dave.