[ale] FTP weirdness
Joseph A. Knapka
jknapka at earthlink.net
Fri Apr 27 05:33:09 EDT 2001
bkruger at mindspring.com wrote:
>
> >channel for command and control (initiated by the client) and an >inbound
> >channel for data (initiated by the server). Since the data channel >is
> >initiated by the server inward to the client on a priviledged port >(hence
> >penetrating the firewall), admins were forced to open this port for >pretty
> >much anyone. Passive mode allows the client to initiate both >connections
> >outward thereby closing a potential security hole.
>
> >Unfortunately, Microsoft has not seen fit to implement this >improvement in
> >the technology which is why you Linux works correctly while you MS >does not.
>
> I just tried a session with ws_ftp from a Windows 2000 client using the passive mode, and again the same error.
> I wonder if someone has a good (read also simple) IP_Tables or IP_Chains setup that allows Windows ftp clients work with the 2.4.x kernels.
>
This seems to do it for me. On 2.2, with ip_masq_ftp.o insmod'ed; maybe
this will work for you on 2.4. For iptables, no idea, sorry... But
Windows
clients *do* work for me.
# Accept attempts to open an FTP data connection.
ipchains -A input -p tcp -s 0.0.0.0/0 20 -y -j ACCEPT -l
Incidentally, IPFilter handles this better (it dynamically adds filter
rules
to accept incoming data connections only from hosts to which there is an
active control connection). Apparently there is a port of IPFilter for
Linux, though I use it on OpenBSD. I like it much better than ipchains.
-- Joe
> Getting closer...
>
> Regards - Bob Kruger
>
> At 07:16 AM 4/25/2001 -0400, you wrote:
> >Leonard/Joe;
> >
> >I pulled the man file for ftp and did a search, but could find nothing on
> >"passive
> >mode." I have missed something here...
> >
> >
> >
> >"Joseph A. Knapka" wrote:
> >
> > > Leonard Thornton wrote:
> > > >
> > > > Is your Linux box you are going through your firewall/NAT box? With your
> > > > Linux clients that work through this box, have you tried setting PASSIVE
> > > > mode off and seeing if they work?
> > >
> >
> >
> >
> > > >
> > > > If this box IS a firewall/NAT box, you need to make sure that
> > ftp-data port
> > > > is open inbound AND that it is MASQ'd properly. Look at elofw.sh out on
> > > > www.linux.org for an example of how to do this....You can test this by
> > > > setting your Linux ftp clients to use ACTIVE mode rather than PASSIVE for
> > > > transfers. If this is your problem, your Linux clients will failed in
> > > > ACTIVE mode.
> > >
> >
> >Like I said, the ftp clients for linux boxes in the sub net work
> >fine. This only
> >crops up with the windows machines that also use the firewall. Before
> >going to the
> >new kernel, all worked.
> >
> >
> > >
> > > You can also "insmod ip_masq_ftp.o" to get active connections to work
> > > properly.
> > >
> >
> >Joe - I think this is only pertinent for the older 2.2.x kernels. I am
> >still using
> >IP chains, though, and compiled the kernel accordingly.
> >
> >Getting closer....
> >
> >Bob
> >
> >--
> >To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message
> >body.
>
> The difficult while you wait.....the impossible overnight.
>
> Leonard Thornton
> Intelis, Inc.
> 5960 Crooked Creek Rd
> Suite 30
> Norcross, GA 30092
>
> Office: 770.825.0032
> Fax: 770.825.0028
> Cellular: 404.583.5402
> Pager: 888.785.9188
> Email: Leonard at Intelis-Inc.net
>
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
--
"If I ever get reincarnated... let me make certain I don't come back
as a paperclip." -- protagonist, H Murakami's "Hard-boiled Wonderland"
// Linux MM Documentation in progress:
// http://home.earthlink.net/~jknapka/linux-mm/vmoutline.html
* Evolution is an "unproven theory" in the same sense that gravity is. *
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list