Re[4]: [suse-security] SuSEfirewall2 and Active ftp

[André Sänger <Andre.Saenger@xxxxxx>]

Hello Knut,

ok, but the data transfer from the ftp-server does originate from port
20. So why can´t I just tell the firewall to accept packets from the
ftp-server which originate at port 20 and are targeted to my client?

After reading a bit through the SuSEfirewall2 script I found that such
a rule is indeed inserted:

from #SuSEfirwall2 status
assuming the client has 10.1.1.1 and the ftp-server 192.168.0.1):

    0     0 ACCEPT     tcp  --  *      *       10.1.1.1
    192.168.0.1       state NEW,RELATED,ESTABLISHED tcp dpt:20
    0     0 ACCEPT     tcp  --  *      *       192.168.0.1
    10.1.1.1       state RELATED,ESTABLISHED tcp spt:20 flags:!0x16/0x02

Now if I insert a similar rule just without the flags:... part:

    0     0 ACCEPT     tcp  --  *      *       192.168.0.1
    10.1.1.1       state RELATED,ESTABLISHED tcp spt:20

Then it works. What is this flags... thing for?


-- 
Best regards,
 André                            mailto:Andre.Saenger@xxxxxx



-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here