[ale] FTP/firewall issue
Joseph A. Knapka
jknapka at earthlink.net
Tue Jul 3 14:38:58 EDT 2001
Bob Kruger wrote:
>
> "Joseph A. Knapka" wrote:
>
> > Bob Kruger wrote:
> > >
> > > "Joseph A. Knapka" wrote:You need to open connections *to* your machine at ports >1024
> > >
> > > > *from* foreign port 21. The way active FTP works is that
> > > > the client makes an outgoing connection to port 20 on the
> > > > server, sends the server a local port number for data connections,
> > > > (chosen more or less at random), and then the server initiates a
> > > > connection to the client on that port from server port 21.
> > > > (What were they thinking...)
> > >
> > > Joe;
> > >
> > > I enabled the following, and it seems to be doing the trick:
> > >
> > > /usr/sbin/iptables -A INPUT -i eth1 -s 192.168.2.0/24 -d 192.168.2.1 -j ACCEPT
> > >
> > > I am not exactly sure why, but I can now list the directories.
> >
> > I'm not sure why either. Let me ask a question: is the
> > FTP server machine you're trying to reach *on* the 192.168.2.0/24
> > net? Or is it external, and 192.168.2.1 is masquerading for the
> > 192.168.2.0 network? That's what I originally thought, but
> > rereading your initial message, I'm no longer sure.
> >
>
> No, 192.168.2.1 is on the actual 192.168.2.0/24 subnetwork.
OK, but what's not clear to me is whether 192.168.2.1 *is*
the FTP server you are trying to reach. I take it that it
is? In which case, the fact that the rule above allows clients
to get data from the server doesn't make sense to
me, given that you already have a rule allowing connections
to 192.168.2.1 on port 20. You still would need to allow
connections outgoing from port 21, to any client port > 1024,
as I understand it. But then, it's certainly possible
my understanding of FTP is fatally flawed (I don't think
so, however.)
-- Joe Knapka
"You know how many remote castles there are along the gorges? You
can't MOVE for remote castles!" -- Lu Tze re. Uberwald
// Linux MM Documentation in progress:
// http://home.earthlink.net/~jknapka/linux-mm/vmoutline.html
* Evolution is an "unproven theory" in the same sense that gravity is. *
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list