Shorewall users - Apr 2002 - ftp works in a strange way.....or....

Hi,

I used a squid proxy to handle http(s) and ftp, but for sone reasons I 
don''t want to use a proxy any more using manual proxy configuration 
settings. So I tried the transparent squid settings and could use http, 
but no ftp or https :-( AFAIK this is a "problem" with squid, so I 
"played around" with shorewall and some options and now I have the 
following config:

I added IP_FORWARDING="on" in the shorewall.conf and have the
following
rules for ftp:

ACCEPT  fw      net             tcp     ftp
ACCEPT  fw      local           tcp     ftp

So can anynone explain to me, why my ftp clients are allowed to connenct 
to ftp-servers at the internet??

Thanks for hints!

cu...
...Götz

- Götz Reinicke -------------------- mailto: greinick@filmakademie.de -
   IT Koordinator                                   Tel: 07141/969-420
   IT-OfficeNet Filmakademie Baden-Württemberg    Fax: 07141/969-55420
- Mathildenstr. 20, 71638 Ludwigsburg ----------- www.filmakademie.de -

Goetz Reinicke wrote:
> ...
> I added IP_FORWARDING="on" in the shorewall.conf and have the
following
> rules for ftp:
>
> ACCEPT  fw      net             tcp     ftp
> ACCEPT  fw      local           tcp     ftp
>
> So can anynone explain to me, why my ftp clients are allowed to connenct
> to ftp-servers at the internet??
What is your loc -> net policy?  If it''s accept, then they can get
there
without needing any rules.

Paul
http://paulgear.webhop.net

Paul Gear wrote:
> Goetz Reinicke wrote:
> 
> 
>>...
>>I added IP_FORWARDING="on" in the shorewall.conf and have the
following
>>rules for ftp:
>>
>>ACCEPT  fw      net             tcp     ftp
>>ACCEPT  fw      local           tcp     ftp
>>
>>So can anynone explain to me, why my ftp clients are allowed to connenct
>>to ftp-servers at the internet??
> 
> 
> What is your loc -> net policy?  If it''s accept, then they can
get there
> without needing any rules.
:-) RTFM *bangingheadagainstthewall*

default rule:

local           net             ACCEPT

So that means also, as I have enabled IP_FORWARDING, I have to disable 
some services and ports I dont want by special rule in the rule file!? 
(e.g. news)

BTW:

In my rule-file I have rules like:

ACCEPT  local:172.17.20.40      net     udp     ntp
ACCEPT  local:172.17.1.251      net     tcp     domain
ACCEPT  local:172.17.1.251      net     udp     domain

so with the default policy in mind, are dns requests rejected from other 
hosts to the Internet, or do I have to add a rule like

DROP   local   net   udp   ntp,domain
DROP   local   net   tcp   domain

Thanks for help.

cu...
...Götz


- Götz Reinicke -------------------- mailto: greinick@filmakademie.de -
   IT Koordinator                                   Tel: 07141/969-420
   IT-OfficeNet Filmakademie Baden-Württemberg    Fax: 07141/969-55420
- Mathildenstr. 20, 71638 Ludwigsburg ----------- www.filmakademie.de -

Goetz Reinicke wrote:
> ...
> default rule:
>
> local           net             ACCEPT
>
> So that means also, as I have enabled IP_FORWARDING, I have to disable
> some services and ports I dont want by special rule in the rule file!?
> (e.g. news)
Correct.
> ...
> so with the default policy in mind, are dns requests rejected from other
> hosts to the Internet, or do I have to add a rule like
>
> DROP   local   net   udp   ntp,domain
> DROP   local   net   tcp   domain
What you need to remember is: rules are exceptions to policies.  So if your
policy says accept, then you must add a rule if you want to drop/reject.  The
same goes for the opposite situation.

Paul
http://paulgear.webhop.net