Hi all, hi tom, i have a problem with passive ftp connections, i have 2 box, boths with shorewall lan(10.10.10.0/24)-------Box-1(192.168.41.1)------------Box-2(192.168.41.2)-----------Inet Box2 is provider of Box1 with 8 DSLs When i connect from Box-2 to any ftp, works all ok, but when i try to connect from Box-1 i get this on /var/log/firewall 21:37:40 insert-master kernel: [832161.057782] nf_ct_ftp: dropping packetIN=eth4 OUT= MAC=00:0a:cd:1a:d1:95:00:22:6b:be:3c:41:08:00 SRC=66.199.187.46 DST=192.168.41.1 LEN=102 TOS=0x00 PREC=0x00 TTL=45 ID=30239 DF PROTO=TCP SPT=21 DPT=50892 SEQ=698644583 ACK=3438176321 WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1 Also i get alot of error with DST=Lan-IPs I am sure the ftp helper is working on boths servers, what can be the problem ? Thanks for your time. ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Jul 5, 2011, at 5:46 PM, Ricardo Rios wrote:> Hi all, hi tom, i have a problem with passive ftp connections, i have 2 > box, boths with shorewall > > lan(10.10.10.0/24)-------Box-1(192.168.41.1)------------Box-2(192.168.41.2)-----------Inet > > Box2 is provider of Box1 with 8 DSLs > > When i connect from Box-2 to any ftp, works all ok, but when i try to > connect from Box-1 i get this on /var/log/firewall > > 21:37:40 insert-master kernel: [832161.057782] nf_ct_ftp: dropping > packetIN=eth4 OUT= MAC=00:0a:cd:1a:d1:95:00:22:6b:be:3c:41:08:00 > SRC=66.199.187.46 DST=192.168.41.1 LEN=102 TOS=0x00 PREC=0x00 TTL=45 > ID=30239 DF PROTO=TCP SPT=21 DPT=50892 SEQ=698644583 ACK=3438176321 > WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1 > > Also i get alot of error with DST=Lan-IPs > > I am sure the ftp helper is working on boths servers, what can be the > problem ?Everything I know about FTP and Shorewall is described at http;//www.shorewall.net/FTP.html -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Tue, 2011-07-05 at 21:05 -0700, Tom Eastep wrote:> On Jul 5, 2011, at 5:46 PM, Ricardo Rios wrote: > > > Hi all, hi tom, i have a problem with passive ftp connections, i have 2 > > box, boths with shorewall > > > > lan(10.10.10.0/24)-------Box-1(192.168.41.1)------------Box-2(192.168.41.2)-----------Inet > > > > Box2 is provider of Box1 with 8 DSLs > > > > When i connect from Box-2 to any ftp, works all ok, but when i try to > > connect from Box-1 i get this on /var/log/firewall > > > > 21:37:40 insert-master kernel: [832161.057782] nf_ct_ftp: dropping > > packetIN=eth4 OUT= MAC=00:0a:cd:1a:d1:95:00:22:6b:be:3c:41:08:00 > > SRC=66.199.187.46 DST=192.168.41.1 LEN=102 TOS=0x00 PREC=0x00 TTL=45 > > ID=30239 DF PROTO=TCP SPT=21 DPT=50892 SEQ=698644583 ACK=3438176321 > > WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1 > > > > Also i get alot of error with DST=Lan-IPs > > > > I am sure the ftp helper is working on boths servers, what can be the > > problem ? > > Everything I know about FTP and Shorewall is described at http;//www.shorewall.net/FTP.htmlObviously, the URL is http://www.shorewall.net/FTP.html The message you are seeing is not generated by Shorewall but is rather generated by the FTP connection tracking helper in the kernel. I don''t find it in the kernel source I have here locally (2.6.32). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Wed, 2011-07-06 at 06:48 -0700, Tom Eastep wrote:> On Tue, 2011-07-05 at 21:05 -0700, Tom Eastep wrote: > > > On Jul 5, 2011, at 5:46 PM, Ricardo Rios wrote: > > > When i connect from Box-2 to any ftp, works all ok, but when i try to > > > connect from Box-1 i get this on /var/log/firewall > > > > > > 21:37:40 insert-master kernel: [832161.057782] nf_ct_ftp: dropping > > > packetIN=eth4 OUT= MAC=00:0a:cd:1a:d1:95:00:22:6b:be:3c:41:08:00 > > > SRC=66.199.187.46 DST=192.168.41.1 LEN=102 TOS=0x00 PREC=0x00 TTL=45 > > > ID=30239 DF PROTO=TCP SPT=21 DPT=50892 SEQ=698644583 ACK=3438176321 > > > WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1 > > > > > Obviously, the URL is http://www.shorewall.net/FTP.html > > The message you are seeing is not generated by Shorewall but is rather > generated by the FTP connection tracking helper in the kernel. I don''t > find it in the kernel source I have here locally (2.6.32).I''ve done a bit of looking around on the Web and it appears that this message has replaced the traditional ''partial'' message mentioned in Shorewall FTP HOWTO. It means that a message (probably a PASV REPLY) is not complete because it was split between two packets. I''ve seen this problem connecting to a particular FTP server, but I''ve never seen it on all servers from a local network. Makes me think that the ftp helper on that firewall is *not* working correctly. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
El 06/07/11 10:48, Tom Eastep escribió:> On Tue, 2011-07-05 at 21:05 -0700, Tom Eastep wrote: >> On Jul 5, 2011, at 5:46 PM, Ricardo Rios wrote: >> >> > Hi all, hi tom, i have a problem with passive ftp connections, i have 2 >> > box, boths with shorewall >> > >> > lan(10.10.10.0/24)-------Box-1(192.168.41.1)------------Box-2(192.168.41.2)-----------Inet >> > >> > Box2 is provider of Box1 with 8 DSLs >> > >> > When i connect from Box-2 to any ftp, works all ok, but when i try to >> > connect from Box-1 i get this on /var/log/firewall >> > >> > 21:37:40 insert-master kernel: [832161.057782] nf_ct_ftp: dropping >> > packetIN=eth4 OUT= MAC=00:0a:cd:1a:d1:95:00:22:6b:be:3c:41:08:00 >> > SRC=66.199.187.46 DST=192.168.41.1 LEN=102 TOS=0x00 PREC=0x00 TTL=45 >> > ID=30239 DF PROTO=TCP SPT=21 DPT=50892 SEQ=698644583 ACK=3438176321 >> > WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1 >> > >> > Also i get alot of error with DST=Lan-IPs >> > >> > I am sure the ftp helper is working on boths servers, what can be the >> > problem ? >> >> Everything I know about FTP and Shorewall is described at http;//www.shorewall.net/FTP.html <ftp://FTP.html> > > Obviously, the URL is http://www.shorewall.net/FTP.html > > The message you are seeing is not generated by Shorewall but is rather > generated by the FTP connection tracking helper in the kernel. I don''t > find it in the kernel source I have here locally (2.6.32). > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > >Ok, i am going to check forums and stuff pointing to the helper in the kernel. Thanks Tom. ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
El 06/07/11 11:05, Tom Eastep escribió:> On Wed, 2011-07-06 at 06:48 -0700, Tom Eastep wrote: >> On Tue, 2011-07-05 at 21:05 -0700, Tom Eastep wrote: >>> On Jul 5, 2011, at 5:46 PM, Ricardo Rios wrote: >>> > When i connect from Box-2 to any ftp, works all ok, but when i try to >>> > connect from Box-1 i get this on /var/log/firewall >>> > >>> > 21:37:40 insert-master kernel: [832161.057782] nf_ct_ftp: dropping >>> > packetIN=eth4 OUT= MAC=00:0a:cd:1a:d1:95:00:22:6b:be:3c:41:08:00 >>> > SRC=66.199.187.46 DST=192.168.41.1 LEN=102 TOS=0x00 PREC=0x00 TTL=45 >>> > ID=30239 DF PROTO=TCP SPT=21 DPT=50892 SEQ=698644583 ACK=3438176321 >>> > WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1 >>> > >> Obviously, the URL is http://www.shorewall.net/FTP.html >> >> The message you are seeing is not generated by Shorewall but is >> rather generated by the FTP connection tracking helper in the kernel. >> I don''t find it in the kernel source I have here locally (2.6.32). > > I''ve done a bit of looking around on the Web and it appears that this > message has replaced the traditional ''partial'' message mentioned in > Shorewall FTP HOWTO. It means that a message (probably a PASV REPLY) > is not complete because it was split between two packets. > > I''ve seen this problem connecting to a particular FTP server, but I''ve > never seen it on all servers from a local network. Makes me think that > the ftp helper on that firewall is *not* working correctly. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > >I just check kernel versions on both servers and i found the server working good have kerne-default, and the server who is not working right with the ftp helper have the kernel-desktop, dunno if that is the problem but i going to install kernel-default and try. ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
El 06/07/11 11:16, Ricardo Rios escribió:> El 06/07/11 11:05, Tom Eastep escribió: >> On Wed, 2011-07-06 at 06:48 -0700, Tom Eastep wrote: >>> On Tue, 2011-07-05 at 21:05 -0700, Tom Eastep wrote: >>>> On Jul 5, 2011, at 5:46 PM, Ricardo Rios wrote: >>>> > When i connect from Box-2 to any ftp, works all ok, but when i try to >>>> > connect from Box-1 i get this on /var/log/firewall >>>> > >>>> > 21:37:40 insert-master kernel: [832161.057782] nf_ct_ftp: dropping >>>> > packetIN=eth4 OUT= MAC=00:0a:cd:1a:d1:95:00:22:6b:be:3c:41:08:00 >>>> > SRC=66.199.187.46 DST=192.168.41.1 LEN=102 TOS=0x00 PREC=0x00 TTL=45 >>>> > ID=30239 DF PROTO=TCP SPT=21 DPT=50892 SEQ=698644583 ACK=3438176321 >>>> > WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1 >>>> > >>> Obviously, the URL is http://www.shorewall.net/FTP.html >>> >>> The message you are seeing is not generated by Shorewall but is >>> rather generated by the FTP connection tracking helper in the >>> kernel. I don''t find it in the kernel source I have here locally >>> (2.6.32). >> >> I''ve done a bit of looking around on the Web and it appears that this >> message has replaced the traditional ''partial'' message mentioned in >> Shorewall FTP HOWTO. It means that a message (probably a PASV REPLY) >> is not complete because it was split between two packets. >> >> I''ve seen this problem connecting to a particular FTP server, but >> I''ve never seen it on all servers from a local network. Makes me >> think that the ftp helper on that firewall is *not* working correctly. >> >> -Tom >> -- >> Tom Eastep \ When I die, I want to go like my Grandfather who >> Shoreline, \ died peacefully in his sleep. Not screaming like >> Washington, USA \ all of the passengers in his car >> http://shorewall.net \________________________________________________ >> >> > I just check kernel versions on both servers and i found the server > working good have kerne-default, and the server who is not working > right with the ftp helper have the kernel-desktop, dunno if that is > the problem but i going to install kernel-default and try.Tom i just want to let you know i fix this problem by using a Compiled Kernel 2.6.39 with http://www.ssi.bg/~ja/routes-2.6.39-16.diff, now ftp connections works fine. The only problem i got after that patch was a server who have 2 providers using the same interface, internet stop working after that patch, but i remove routefilter option from the internet interface in /etc/shorewall/interface and now is working great. Thanks for your time and work tom. Regards ------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev
On Thu, 2011-07-14 at 09:34 -0300, Ricardo Rios wrote:> Tom i just want to let you know i fix this problem by using a Compiled > Kernel 2.6.39 with http://www.ssi.bg/~ja/routes-2.6.39-16.diff, now > ftp connections works fine. > > The only problem i got after that patch was a server who have 2 > providers using the same interface, internet stop working after that > patch, but i remove > routefilter option from the internet interface > in /etc/shorewall/interface and now is working great. >Thanks for the update, Ricardo -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev