Shorewall users - Oct 2002 - setting up passive ftp

shorewall-users,

  i have shorewall running fine on my linux router gateway at home,
  but i have an ftp server running on a none standard port (2112)and am
  having trouble setting up the firewall to allow passive connections,
  from what i have read i need to set it to use connection tracking on
  the odd port, after read the mailing list archive i have altered /
  added the folllowing files as follows

  /etc/shorewall/rules    added

  ACCEPT          loc       fw            tcp     2112
  ACCEPT          net       fw            tcp     2112
  

  /etc/shorewall/modules  altered as below

    loadmodule ip_tables
    loadmodule iptable_filter
    loadmodule ip_conntrack
    loadmodule ip_conntrack_ftp ports=21,2112
    loadmodule ip_conntrack_irc
    loadmodule iptable_nat
    loadmodule ip_nat_ftp ports=21,2112
    loadmodule ip_nat_irc
  

  /etc/modules.conf   added to bottom

  options ip_nat_ftp ports=21,2112
  options ip_conntrack_ftp ports=21,2112
  
  is this correct as passive connection still hang

 mark                          mailto:mark.field@gmx.net

mark field wrote:
> shorewall-users,
> 
>   i have shorewall running fine on my linux router gateway at home,
>   but i have an ftp server running on a none standard port (2112)and am
>   having trouble setting up the firewall to allow passive connections,
>   from what i have read i need to set it to use connection tracking on
>   the odd port, after read the mailing list archive i have altered /
>   added the folllowing files as follows
> 
>   /etc/shorewall/rules    added
> 
>   ACCEPT          loc       fw            tcp     2112
>   ACCEPT          net       fw            tcp     2112
>   
> 
>   /etc/shorewall/modules  altered as below
> 
>     loadmodule ip_tables
>     loadmodule iptable_filter
>     loadmodule ip_conntrack
>     loadmodule ip_conntrack_ftp ports=21,2112
>     loadmodule ip_conntrack_irc
>     loadmodule iptable_nat
>     loadmodule ip_nat_ftp ports=21,2112
>     loadmodule ip_nat_irc
>   
> 
>   /etc/modules.conf   added to bottom
> 
>   options ip_nat_ftp ports=21,2112
>   options ip_conntrack_ftp ports=21,2112
>   
>   is this correct as passive connection still hang
> 
Looks ok -- did you unload and reload the ftp netfilter modules after you 
made those changes?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

----- Original Message ----- 
From: "Tom Eastep"
<teastep@shorewall.net>
> > 
> >   /etc/modules.conf   added to bottom
> > 
> >   options ip_nat_ftp ports=21,2112
> >   options ip_conntrack_ftp ports=21,2112
Is this necessary?
is not sufficient to insert the options "ports" in shorewall/modules?

let me known ...

Thanks 
-------
Dario Lesca (d.lesca@ivrea.osra.it)

Dario Lesca wrote:
> ----- Original Message ----- 
> From: "Tom Eastep" <teastep@shorewall.net>
> 
>>>  /etc/modules.conf   added to bottom
>>>
>>>  options ip_nat_ftp ports=21,2112
>>>  options ip_conntrack_ftp ports=21,2112
>>
> 
> Is this necessary?
> is not sufficient to insert the options "ports" in
shorewall/modules?
> 
> let me known ...
> 
It is only necessary if there is a chance that the modules will get loaded 
before Shorewall is started.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net