Hi, ok Im all new to this :-) for pasv ftp in your example you say for example to use ports 65500-65535, but i dont see that u open those ports in your example fw scripts..? any hints ? -- Christophe Zwecker mail: doc@zwecker.de Hamburg, Germany fon: +49 179 3994867 http://www.zwecker.de "Who is General Failure ? And why is he reading my disk ??"
On Saturday 19 January 2002 03:34 am, Christophe Zwecker wrote:> Hi, > > ok Im all new to this :-) > > for pasv ftp in your example you say for example to use ports > 65500-65535, but i dont see that u open those ports in your example fw > scripts..? > > any hints ?I don''t have to open them -- they will be opened dynamically at the time of=20 the PASV command. This of course assumes ftp connection tracking in your=20 kernel or that you have loaded the ip_conntrack_ftp module. -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Saturday 19 January 2002 05:36 am, I wrote:> > I don''t have to open them -- they will be opened dynamically at the time of > the PASV command. This of course assumes ftp connection tracking in your > kernel or that you have loaded the ip_conntrack_ftp module. >BTW -- Shorewall automatically loads ip_conntrack_ftp and ip_nat_ftp if they=20 exist in the MODULESDIR (usually=20 /lib/modules/`uname -r`/kernel/ipv4/netfilter). -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Sat, 2002-01-19 at 14:51, Tom Eastep wrote:> On Saturday 19 January 2002 05:36 am, I wrote: > > > > > I don''t have to open them -- they will be opened dynamically at the time of > > the PASV command. This of course assumes ftp connection tracking in your > > kernel or that you have loaded the ip_conntrack_ftp module. > > > > BTW -- Shorewall automatically loads ip_conntrack_ftp and ip_nat_ftp if they > exist in the MODULESDIR (usually > /lib/modules/`uname -r`/kernel/ipv4/netfilter).Hm, Ich checked, I have that module loaded but its state (unu sed) As of know I have to leave ports 2000-2100 open, my ftp server uses those for pasv connections, Id rather use the ip_conntrack_ftp Option tho. Is it of any matter that my ftp server uses a non standard port (24562) ?? Here a list of my modules: ip_nat_irc 3264 0 (unused) ip_nat_ftp 3936 0 (unused) ip_conntrack_irc 3488 0 (unused) ip_conntrack_ftp 4576 0 (unused) ipt_TOS 1536 14 (autoclean) ipt_MASQUERADE 2112 1 (autoclean) ipt_REJECT 3552 2 (autoclean) ipt_LOG 4960 13 (autoclean) ipt_limit 1600 12 (autoclean) iptable_mangle 2496 0 (autoclean) (unused) iptable_nat 17524 2 (autoclean) [ip_nat_irc ip_nat_ftp ipt_MASQUERADE] ipt_state 1088 37 (autoclean) ip_conntrack 20268 5 (autoclean) [ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp ipt_MASQUERADE iptable_nat ipt_state] iptable_filter 2400 0 (autoclean) (unused) ip_tables 13440 13 [ipt_mark ipt_MARK ipt_TOS ipt_MASQUERADE ipt_REJECT ipt_LOG ipt_limit iptable_mangle iptable_nat ipt_state iptable_filter]
On Monday 21 January 2002 02:22 am, Christophe Zwecker wrote:> On Sat, 2002-01-19 at 14:51, Tom Eastep wrote: > > On Saturday 19 January 2002 05:36 am, I wrote: > > > I don''t have to open them -- they will be opened dynamically at the > > > time of the PASV command. This of course assumes ftp connection > > > tracking in your kernel or that you have loaded the ip_conntrack_ftp > > > module. > > > > BTW -- Shorewall automatically loads ip_conntrack_ftp and ip_nat_ftp if > > they exist in the MODULESDIR (usually > > /lib/modules/`uname -r`/kernel/ipv4/netfilter). > > Hm, Ich checked, I have that module loaded but its state (unu > sed)That''s normal.> > As of know I have to leave ports 2000-2100 open, my ftp server uses > those for pasv connections, Id rather use the ip_conntrack_ftp Option > tho. Is it of any matter that my ftp server uses a non standard port > (24562) ??Er -- just how do you think ip_conntrack_ftp knows that port 24562 is FTP=20 unless you tell it?=20 In /etc/modules.conf (or whatever your distro calls it), add: options ip_nat_ftp ports=3D21,24562 options ip_conntrack_ftp ports 21,24562 And, you will have to unload/reload those two modules. -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
dang :-) thank you so much ! didnt get the idea :-) I always wonder how I can see all available options a module has...source code I guess... thx alot again! Christophe> Er -- just how do you think ip_conntrack_ftp knows that port 24562 is FTP > unless you tell it? > > In /etc/modules.conf (or whatever your distro calls it), add: > > options ip_nat_ftp ports=21,24562 > options ip_conntrack_ftp ports 21,24562
Hi, ok it works if I let shorewall pass the params, however I noticed fxp doesnt work. There is a patch for the ip_conntrack_ftp module, tho not for recent kernels. I wonder if there is anything shorewall can "do" about it. Or maybe someone got the patched module for 2.4.16 ? best regards, Christophe On Mon, 2002-01-21 at 15:41, Tom Eastep wrote:> > Er -- just how do you think ip_conntrack_ftp knows that port 24562 isFTP> unless you tell it? > > In /etc/modules.conf (or whatever your distro calls it), add: > > options ip_nat_ftp ports=21,24562 > options ip_conntrack_ftp ports 21,24562 > > And, you will have to unload/reload those two modules.-- Christophe Zwecker :Sysctl Susannenstr. 26-28 20357 Hamburg phon/fax: +49 40 43099296/7 mail: czwecker@sysctl.de