Hello
With the following in my tcrules I can log in to my ftp site:
####################################################################
#MARK SOURCE DEST PROTO DEST SOURCE USER
TEST LENGTH TOS CONNBYTES HELPER
# PORT(S) PORT(S)
3 $FW 0.0.0.0/0 tcp 21
But I cannot ls or get. Of course I need more than just a control
connection.
So I try the following in my tcrules:
####################################################################
#MARK SOURCE DEST PROTO DEST SOURCE USER
TEST LENGTH TOS CONNBYTES HELPER
# PORT(S) PORT(S)
3 $FW 0.0.0.0/0 - - - -
- - - - ftp
Which does not work at all.
A shorewall iptrace reveals that with the above tcrules (with the
helper) packets are not marked.
So, um, how should I be using my ftp helper to mark packets?
Regards
Fog_Watch.
# lsmod | grep ftp
nf_nat_tftp 1301 0
nf_nat_ftp 2267 0
nf_conntrack_tftp 3810 1 nf_nat_tftp
nf_conntrack_ftp 6177 1 nf_nat_ftp
nf_nat 14504 7
nf_nat_sip,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_ftp,iptable_nat
nf_conntrack 52369 21
nf_nat_sip,xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_ftp,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_sctp,nf_conntrack_netlink,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
------------------------------------------------------------------------------
ThinkGeek and WIRED''s GeekDad team up for the Ultimate
GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
Have you read http://www.shorewall.net/FTP.html ?
Especially where it says:
Important
Once you have made these changes to /etc/shorewall/modules and/or
/etc/modules.conf, you must either:
Unload the modules and restart shorewall:
rmmod nf_nat_ftp; rmmod nf_conntrack_ftp; shorewall restart
or
Reboot
-----Original Message-----
From: Fog_Watch [mailto:db5@exemail.com.au]
Sent: Friday, 4 June 2010 12:43 PM
To: shorewall-users@lists.sourceforge.net
Subject: [Shorewall-users] tcrules'' HELPERs are not helping
Hello
With the following in my tcrules I can log in to my ftp site:
####################################################################
#MARK SOURCE DEST PROTO DEST SOURCE USER
TEST LENGTH TOS CONNBYTES HELPER
# PORT(S) PORT(S)
3 $FW 0.0.0.0/0 tcp 21
But I cannot ls or get. Of course I need more than just a control
connection.
So I try the following in my tcrules:
####################################################################
#MARK SOURCE DEST PROTO DEST SOURCE USER
TEST LENGTH TOS CONNBYTES HELPER
# PORT(S) PORT(S)
3 $FW 0.0.0.0/0 - - - -
- - - - ftp
Which does not work at all.
A shorewall iptrace reveals that with the above tcrules (with the
helper) packets are not marked.
So, um, how should I be using my ftp helper to mark packets?
Regards
Fog_Watch.
# lsmod | grep ftp
nf_nat_tftp 1301 0
nf_nat_ftp 2267 0
nf_conntrack_tftp 3810 1 nf_nat_tftp
nf_conntrack_ftp 6177 1 nf_nat_ftp
nf_nat 14504 7
nf_nat_sip,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_ftp,ipt
able_nat
nf_conntrack 52369 21
nf_nat_sip,xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp
_basic,nf_nat_ftp,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_sip,nf_co
nntrack_proto_sctp,nf_conntrack_netlink,nf_conntrack_ftp,xt_helper,xt_conntr
ack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
------------------------------------------------------------------------------
ThinkGeek and WIRED''s GeekDad team up for the Ultimate
GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
On Fri, 4 Jun 2010 13:32:12 +0800 "Trent O''Callaghan" <trent.ocallaghan@nearmap.com> wrote:> Have you read http://www.shorewall.net/FTP.html ?Yes> > Especially where it says: > Important > > Once you have made these changes to /etc/shorewall/modules and/or > /etc/modules.conf, you must either: > > Unload the modules and restart shorewall: > > rmmod nf_nat_ftp; rmmod nf_conntrack_ftp; shorewall restart > or > RebootThanks Trent, I don''t believe I need to do anything here. My destination port is the standard 21, so I can''t see why /etc/shorewall/modules needs to be altered. That said, even after a fresh "rmmod nf_nat_ftp; rmmod nf_conntrack_ftp; shorewall restart" packets are still not marked. To reitterate; tcrules: #################################################################### #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER # PORT(S) PORT(S) 3 $FW 0.0.0.0/0 tcp 21 marks #################################################################### #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER # PORT(S) PORT(S) 3 $FW 0.0.0.0/0 - - - - - - - - ftp does not mark. Strangely, with: #################################################################### #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER # PORT(S) PORT(S) 3 $FW 0.0.0.0/0 - - - - - - - - ftpasdf "/etc/init.d/shorewall restart" does not error. I would have thought that the bogus helper "ftpasdf" would have caused some type of error, but not in my case. Any other ideas about this helper-marking problem? Regards Fog_Watch # shorewall debug version 4.4.2.1 ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
On 6/5/10 3:43 AM, Fog_Watch wrote:> > Any other ideas about this helper-marking problem? >Please forward the output of ''shorewall dump'' collected after testing the helper rule. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
On 6/5/10 6:22 AM, Tom Eastep wrote:> On 6/5/10 3:43 AM, Fog_Watch wrote: > >> >> Any other ideas about this helper-marking problem? >> > > Please forward the output of ''shorewall dump'' collected after testing > the helper rule.Before doing that, you might see if specifying ''tcp'' in the PROTO column solves your problem; it works for me. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
On Sat, 05 Jun 2010 06:22:38 -0700 Tom Eastep <teastep@shorewall.net> wrote:> Please forward the output of ''shorewall dump'' collected after testing > the helper rule.Hello I''ve re-established the problem on another set of boxes and attempted to make it as simple as possible. The setup is pretty standard: +-------------------------------------------------+ | mr-clever mr-muddle | | +-------------------------+ +-----+ | | |ftp | |ftpd | | | |# uname -rm | | | | | |2.6.29-gentoo-r5 i686 | | | | | |# shorewall debug version| | | | | |4.4.9 | | | | | +-------------------------\ /-----+ | | | | | | \ / | | \------/ | | |switch| | | .''------.__ | | .'' ``--. | | .'' | +-------------------------------------------------+ With the following in my tcrules I can ftp to mr-muddle: #################################################################### #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER # PORT(S) PORT(S) 2 $FW 0.0.0.0/0 tcp 21 With the following in my tcrules I cannot: #################################################################### #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER # PORT(S) PORT(S) 2 $FW 0.0.0.0/0 tcp - - - - - - - ftp That is, the HELPER ftp is not marking packets. The following is what a marked packet looks like: Jun 6 16:32:14 mr-clever TRACE: mangle:POSTROUTING:policy:2 INOUT=eth0 SRC=192.168.3.21 DST=192.168.3.23 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=37036 DF PROTO=TCP SPT=49155 DPT=21 SEQ=3789899975 ACK=3607433152 WINDOW=1460 RES=0x00 ACK FIN URGP=0 OPT (0101080AFFFFEB66005D6EEB) UID=0 GID=0 MARK=0x2 Thanks Tom, mr-clever ''shorewall dump'' in the attachment. Regards Fog_Watch. ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
On 6/6/10 2:59 AM, Fog_Watch wrote:> On Sat, 05 Jun 2010 06:22:38 -0700 > Tom Eastep <teastep@shorewall.net> wrote: > >> Please forward the output of ''shorewall dump'' collected after testing >> the helper rule. > > Hello > > I''ve re-established the problem on another set of boxes and attempted > to make it as simple as possible. The setup is pretty standard:The helper match is working fine; it is your ill-conceived use of it that is broken. The ''ftp'' helper matches packets that are part of connections RELATED TO an ftp control connection; it does not match packets that are part of the control connection itself. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
On 6/6/10 6:37 AM, Tom Eastep wrote:> The helper match is working fine; it is your ill-conceived use of it > that is broken. The ''ftp'' helper matches packets that are part of > connections RELATED TO an ftp control connection; it does not match > packets that are part of the control connection itself.In other words, it matches packets that are part of an FTP "Data Connection". See http://www.shorewall.net/FTP.html#Protocol -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
On Sun, 06 Jun 2010 06:37:19 -0700 Tom Eastep <teastep@shorewall.net> wrote:> your ill-conceived use of it > that is brokenI think my use of the FTP HELPER is now a little better conceived. Thanks again Tom. Regards Fog_Watch. ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo