I am trying to get the AllowFTP action to work for Net > DMZ traffic and FTP pasv. I know it is kind of working, as the user can log in, however, it fails at the port. I have had to open up some high ports for pasv to work. Now I know this aint cool, so does anyone know what a person has to do to get the AllowFTP action to work the same way it does if I was just ftp to the firewall, which does work on my web server (which only has 1 interface btw)? Interfaces: net eth0 detect loc eth1 detect My Rule: AllowFTP net loc Capabilities Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Not available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Not available Physdev Match: Available IP range Match: Available Recent Match: Available Owner Match: Available -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.4.1 - Release Date: 6/2/2005
> I am trying to get the AllowFTP action to work for Net > DMZ trafficand> FTP pasv. I know it is kind of working, as the user can log in,however,> it fails at the port. I have had to open up some high ports for pasvto> work. Now I know this aint cool, so does anyone know what a personhas> to do to get the AllowFTP action to work the same way it does if Iwas> just ftp to the firewall, which does work on my web server (whichonly> has 1 interface btw)? > > Interfaces: > net eth0 detect > loc eth1 detect > > My Rule: > AllowFTP net loc > > Capabilities > Shorewall has detected the following iptables/netfiltercapabilities:> NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Extended Multi-port Match: Not available > Connection Tracking Match: Available > Packet Type Match: Available > Policy Match: Not available > Physdev Match: Available > IP range Match: Available > Recent Match: Available > Owner Match: Available > >Couple of quick questions. When you do a ''lsmod'' does "ip_conntrack_ftp" showup? Are you running the ftp server on a non-standard port? Jerry
> >Couple of quick questions. >When you do a ''lsmod'' does "ip_conntrack_ftp" showup? >Are you running the ftp server on a non-standard port? >JerryQ1: Yes Module Size Used by ip_nat_ftp 3009 0 ip_conntrack_ftp 73169 1 ip_nat_ftp Q2: No, ftp is on default port. Steve. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.4.1 - Release Date: 6/2/2005
> > > >Couple of quick questions. > >When you do a ''lsmod'' does "ip_conntrack_ftp" showup? > >Are you running the ftp server on a non-standard port? > >Jerry > > Q1: Yes > Module Size Used by > ip_nat_ftp 3009 0 > ip_conntrack_ftp 73169 1 ip_nat_ftp > > Q2: No, ftp is on default port. > > Steve. > > --I''m stepping out for a bit, in the mean time could you post the info requested at: http://www.shorewall.net/support.htm #3 Anything being logged about this connection in /var/log/messages? Jerry Jerry
2005/6/2, Steve Lawrence <steve@nexiaweb.com>:> I am trying to get the AllowFTP action to work for Net > DMZ traffic and > FTP pasv. I know it is kind of working, as the user can log in, however, > it fails at the port. I have had to open up some high ports for pasv to > work. Now I know this aint cool, so does anyone know what a person has > to do to get the AllowFTP action to work the same way it does if I was > just ftp to the firewall, which does work on my web server (which only > has 1 interface btw)? > > Interfaces: > net eth0 detect > loc eth1 detect > > My Rule: > AllowFTP net loc >loc is the DMZ?? if so, is a really awful idea. other clients in the loc zone have NO protection if the ftp server is compromised. the complete loc zone is the DMZ? or just one IP? please submit the info: http://www.shorewall.net/support.htm#Guidelines