jgarcian@retevision.es
2002-Sep-23 13:58 UTC
[Shorewall-users] Blacklist and FTP Passive Mode.
Hi ppl, I have two problems: =B7 The first, I have configured my shorewall with: /etc/shorewall/interfaces net eth0 detect dhcp,routefilter,norfc1918,blacklist and the /etc/shorewall/blacklist 10.101.1.X 192.168.69.X but in /var/log/messages I see: kernel: Shorewall:rfc1918:DROP:IN=3Deth0 OUT=3D MAC=3Dff:ff:ff:ff:ff:ff:00:50:04:33:d9:14:08:00 SRC=3D10.101.1.X DST=3D255.255.255.255 LEN=3D161 TOS=3D0x00 PREC=3D0x00 TTL=3D128 ID=3D58936 PROTO=3DUDP SPT=3D2692 DPT=3D1900 LEN=3D141 kernel: Shorewall:rfc1918:DROP:IN=3Deth0 OUT=3D MAC=3Dff:ff:ff:ff:ff:ff:00:e0:29:6b:a5:7e:08:00 SRC=3D192.168.69.X DST=3D255.255.255.255 LEN=3D161 TOS=3D0x00 PREC=3D0x00 TTL=3D128 ID=3D3393 PROTO=3DUDP SPT=3D1026 DPT=3D1900 LEN=3D141 The DROP messages are logged. Is usual? I don''t want to see these messages. Is possible? =B7 The second, the FTP passive mode, I execute a pureftpd server in the firewall: #lsmod Module Size Used by Not tainted ip_nat_ftp 3808 0 (unused) ip_conntrack_ftp 3616 0 [ip_nat_ftp] /etc/shorewall/rules DNAT net fw:192.168.0.1:21 tcp ftp /pureftpd script pure-ftpd -p 7000:7050 -S 192.168.0.1,21 The passive mode don''t work. I have a Debian Woody with 2.4.19 kernel and Shorewall 1.3.7c Thanks in advance. Jordi La informaci=F3n incluida en el presente correo electr=F3nico es CONFIDENCIAL, siendo para el uso exclusivo del destinatario arriba mencionado. Si usted lee este mensaje y no es el destinatario se=F1alado, el empleado o el agente responsable de entregar el mensaje al destinatario, o ha recibido esta comunicaci=F3n por error, le informamos que est=E1 totalmente prohibida cualquier divulgaci=F3n, distribuci=F3n o reproducci=F3n de esta comunicaci=F3n, y le rogamos que nos lo notifique, nos devuelva el mensaje original a la direcci=F3n arriba mencionada y borre el mensaje. Gracias.
jgarcian@retevision.es wrote:> SPT=1026 DPT=1900 LEN=141 > > The DROP messages are logged. Is usual? I don''t want to see these messages. > Is possible? >See the BLACKLIST_LOGLEVEL variable in shorewall.conf.> ยท The second, the FTP passive mode, I execute a pureftpd server in the > firewall: > > #lsmod > Module Size Used by Not tainted > ip_nat_ftp 3808 0 (unused) > ip_conntrack_ftp 3616 0 [ip_nat_ftp] > > /etc/shorewall/rules > DNAT net fw:192.168.0.1:21 tcp ftpWhat is your reason for having the server listen on 192.168.0.1 and then using DNAT? Why don''t you just have the server listen on 0.0.0.0 and use and ACCEPT rule?> > /pureftpd script > pure-ftpd -p 7000:7050 -S 192.168.0.1,21 > > The passive mode don''t work. >Any log messages when you try it? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
jgarcian@retevision.es
2002-Sep-23 15:00 UTC
[Shorewall-users] Blacklist and FTP Passive Mode.
Hi Tom, See the BLACKLIST_LOGLEVEL variable in shorewall.conf. # # BLACKLIST LOG LEVEL # # Set this variable to the syslogd level that you want blacklist packets logged # (beward of DOS attacks resulting from such logging). If not set, no logging # of blacklist packets occurs. # BLACKLIST_LOGLEVEL=3D This variable is empty. What is your reason for having the server listen on 192.168.0.1 and then using DNAT? Why don''t you just have the server listen on 0.0.0.0 and use and ACCEPT rule? This is configuration works fine... eehhh...which is the difference? All my services (HTTP, POP3, etc...) use DNAT. ?=BF Thanks for all Tom. Jordi La informaci=F3n incluida en el presente correo electr=F3nico es CONFIDENCIAL, siendo para el uso exclusivo del destinatario arriba mencionado. Si usted lee este mensaje y no es el destinatario se=F1alado, el empleado o el agente responsable de entregar el mensaje al destinatario, o ha recibido esta comunicaci=F3n por error, le informamos que est=E1 totalmente prohibida cualquier divulgaci=F3n, distribuci=F3n o reproducci=F3n de esta comunicaci=F3n, y le rogamos que nos lo notifique, nos devuelva el mensaje original a la direcci=F3n arriba mencionada y borre el mensaje. Gracias.