[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [suse-security] SuSEfirewall2 and Active ftp

To: André Sänger <Andre.Saenger@xxxxxx>, <suse-security@xxxxxxxx>
Subject: RE: [suse-security] SuSEfirewall2 and Active ftp
From: "Knut Erik Hauslo" <KNUTH@xxxxxxxxxxxx>
Date: Wed, 16 Jul 2003 17:07:27 +0200
Delivered-to: mailing list suse-security@xxxxxxxx
Delivery-date: Wed, 16 Jul 2003 17:08:20 +0200
Envelope-to: suse@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm
Thread-index: AcNLq1EQNhbHgT4ZSd+d7mQItPs1CwAABmGA
Thread-topic: [suse-security] SuSEfirewall2 and Active ftp

I got this working ONLY by masquerading and only from one direction (internal lan) to the other (external lan). The other way around will most probably only work if you have a FTP server in a DMZ.

This is my config (with masquerading)
  FW_DEV_EXT="eth1"
  FW_DEV_INT="eth0"
  FW_ROUTE="yes"
  FW_MASQUERADE="yes"
  FW_MASQ_DEV="$FW_DEV_EXT"
  FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21 172.19.0.0/16,0/0,tcp,80"
  FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"
  FW_TRUSTED_NETS=""
  FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"

I am my self using a SuSE firewall between two lans. Another solution might be to use SuSE firewall in combination with Squid or so, but I am working on this issue my self currently.

Cheers


-----Original Message-----
From: André Sänger [mailto:Andre.Saenger@xxxxxx] 
Sent: Wednesday, July 16, 2003 4:46 PM
To: suse-security@xxxxxxxx
Subject: [suse-security] SuSEfirewall2 and Active ftp


Hallo suse-security,

I´m still not sure how to configure SuSEfirewall2 to get active ftp working.

The Server is between two LANs and doing no masquerading.


from the config:


FW_FORWARD="[...] \
myip,ftpserverip,tcp,21 \
myip,ftpserverip,tcp,20"

FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"


Now if I try to establish a connection I get a connect, but when trying to list the ftp-dir the ftp client hangs.

The firewall-log says:

  Jul 16 16:13:51 [firewallmachine] kernel: SuSE-FW-DROP-DEFAULT
  IN=eth1 OUT=eth0 SRC=[ftpserverip] DST=[myip] LEN=60 TOS=0x08
  PREC=0x00 TTL=62 ID=46457 DF PROTO=TCP SPT=20 DPT=1137 WINDOW=5840
  RES=0x00 SYN URGP=0 OPT (020405B40402080A16229CFF0000000001030300)

What else is needed to get active ftp working through SuSEfirewall2?


If I insert a rule like

  $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state
  ESTABLISHED,RELATED -d $quelle -s $ziel -p tcp --sport 20

in SuSEfirewall2-custom active ftp works again, but I don´t think that´s the proper way? There has to be something in /etc/sysconfig/SuSEfirewall2 I´m missing.

The Firewall machine is running SuSE8.2Professional, Kernel 2.4.20-4GB-athlon


-- 
Mit freundlichen Grüßen,
 André Sänger                         mailto:Andre.Saenger@xxxxxx



-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx Security-related bug reports go to security@xxxxxxx, not here


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

Follow-Ups:
- Re[2]: [suse-security] SuSEfirewall2 and Active ftp
  - From: André Sänger

Prev by Date: [suse-security] SuSEfirewall2 and Active ftp
Next by Date: [suse-security] SCP-proxy / SFTP-proxy wanted
Previous by thread: [suse-security] SuSEfirewall2 and Active ftp
Next by thread: Re[2]: [suse-security] SuSEfirewall2 and Active ftp
Index(es):
- Date
- Thread