Hi, I''m not getting very far with shorewall 1.4.4. I''m using redhat 9. It''s setup and working, but non-passive ftp isn''t working and I can''t find any documentation regarding if it should work, or what to do to make it work. The ip_conntrack_ftp and ip_nat_ftp modules are loading and the policy from loc to net is accept. Is there something else I need? I''ve used the linux box with two interfaces example and so far I can''t find any reference to this type of thing... for that matter, I don''t think passive works either as I tried pointing a browser at ftp://mirror.ac.uk and the connection gets reset and times out... manually ftping into an ftp server, I get logged in but can''t do anything, ls, cd, etc then. I presume that''s the data-connection not working, but like I say I kind of assumed this would work with the example and the policy file. Thanks Bill
more on this.... it''s my brain dead windoze xp system that is failing. I have a small test network that the firewall gateway described below is sitting on. It is protecting two linux systems and one windows xp system. The windows xp system can ftp to sites, but it can''t list them... doing ftp from command prompt. Same thing with using internet exploder... can''t get the contents of any directory... I though internet exploder used passive ftp... doesn''t it? When I ftp from either linux system to external ftp sites it works perfectly. Of course, all my users have windoze, so I obviously need to do something, but I don''t know what... how do I fix windows ftping thru shorewall? Thanks Bill Bill Dossett wrote:> Hi, > > I''m not getting very far with shorewall 1.4.4. > I''m using redhat 9. > It''s setup and working, but non-passive > ftp isn''t working and I can''t find any documentation > regarding if it should work, or what to do to make > it work. The ip_conntrack_ftp and ip_nat_ftp modules > are loading and the policy from loc to net is accept. > Is there something else I need? I''ve used the linux > box with two interfaces example and so far I can''t > find any reference to this type of thing... for that > matter, I don''t think passive works either as I tried > pointing a browser at ftp://mirror.ac.uk and the connection > gets reset and times out... manually ftping into an ftp > server, I get logged in but can''t do anything, ls, cd, etc > then. I presume that''s the data-connection not working, > but like I say I kind of assumed this would work with the > example and the policy file. > > Thanks > Bill > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Hi, Tuomo Soini wrote:> Bill Dossett wrote: > >> more on this.... it''s my brain dead windoze xp system >> that is failing. I have a small test network that the >> firewall gateway described below is sitting on. It >> is protecting two linux systems and one windows xp >> system. The windows xp system can ftp to sites, but >> it can''t list them... doing ftp from command prompt. >> Same thing with using internet exploder... can''t get >> the contents of any directory... I though internet >> exploder used passive ftp... doesn''t it? > > > Explorer is not at all passive-ftp capable. It only can active ftp.Netscape works ok... I assume netscape uses passive then?> >> When I ftp from either linux system to external ftp >> sites it works perfectly. Of course, all my users >> have windoze, so I obviously need to do something, >> but I don''t know what... how do I fix windows ftping >> thru shorewall? > > > Is it possible that you have XP''s internal firewall in use and you block > all incoming traffic?no, now using a windows 2000 system and a windows xp system, no firewalling of any sort on them. ftping from command prompt on both always fails when I try to list the directory. is it possible to use active ftp? It though that is what the conntrack module is for? Thanks for your help Bill> > If this was your problem, please note it on mailinglist too so that > thread ends. >
On Wed, 28 May 2003 13:59:53 +0100, Bill Dossett <billd@emtex.com> wrote:> > is it possible to use active ftp? It though that is what the > conntrack module is for? >Whatever your problem is, it isn''t Shorewall -- passive FTP opens two OUTBOUND connections and since the default Shorewall setup places no restrictions on such connections then passive outbound FTP will work without any helper modules. I assume that you are testing using more than one remote site.... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Wed, 2003-05-28 at 04:21, Bill Dossett wrote:> It''s setup and working, but non-passive > ftp isn''t working and I can''t find any documentation > regarding if it should work, or what to do to make > it work. The ip_conntrack_ftp and ip_nat_ftp modules > are loading and the policy from loc to net is accept. > Is there something else I need?Bill, Take a look at this document. It explains the interactions of FTP with modern firewalls. A White Paper Overview of FTP and Firewalls ftp://ftp.echogent.com/docs/FTP_and_Firewalls.pdf -- Mike Noyes <mhnoyes @ users.sourceforge.net> http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/