[ale] FTP/firewall issue
Bob Kruger
krugerb at benning.army.mil
Tue Jul 3 09:50:52 EDT 2001
tewkewl at mindspring.com wrote:
> What firewall is this? Is this ipchains/tables or is it a 'namebrand'?
>
> If it is a stateful inspection type firewall, make sure stateful inspection is enabled.
>
> If it is not, then make sure you have port 21(tcp) open for control coming in to the server. And port 20(udp/tcp) for data. These are the only two ports used for active ftp. If it is a linux/unix box, run two sessions of tcpdump on the internal/dmz nic and external nic and compare the data when a user tries to log in.
>
Firewall is iptables.
FTP daemon is Proftpd
Ports 20 and 21 are opened up for both tcp and udp for the LAN using the following:
/usr/sbin/iptables -A INPUT -p udp -s 192.168.2.0/24 --destination-port 20 -i
eth1 -j ALLOW
/usr/sbin/iptables -A INPUT -p tcp -s 192.168.2.0/24 --destination-port 20 -i
eth1 -j ALLOW
/usr/sbin/iptables -A INPUT -p udp -s 192.168.2.0/24 --destination-port 21 -i
eth1 -j ALLOW
/usr/sbin/iptables -A INPUT -p tcp -s 192.168.2.0/24 --destination-port 21 -i
eth1 -j ALLOW
Users can log in, but can not list the directories.
The following allows everyone in the LAN to ftp in and do a successful "ls"
/usr/sbin/iptables -A INPUT -s 192.168.2.0/24 -i eth1 -j ALLOW
In this example, I place no restrictions on ports or protocols for the LAN.
So, there is something else missing that needs to be turned on. Any ideas?
Regards - Bob Kruger
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list