Hello everyone,
I run a Pure-FTP server on my DMZ. I can specify with Pure-ftp what ports
will be used for clients when they connect with passive mode. I entered
50000 50400, so I have enough for 200 users at the same time.
Then the pure-ftp website tells me to open up those ports on the firewall.
How do I do this? In my rules file is now something like:
ACCEPT net dmz:10.0.0.2 tcp
ssh,http,smtp,389,8010,ftp,imap,imaps - all
to send all this traffic on to the 10.0.0.2 dmz machine. Should I add all
those 400 ports?? Or can I use something like "50000-50400" or another
abreviation?
Greetings from the Netherlands,
Harry Westerman
--On Saturday, December 21, 2002 11:08 PM +0100 Harry Westerman <hwesterman@cistron.nl> wrote:> How do I do this? In my rules file is now something like: > > ACCEPT net dmz:10.0.0.2 tcp > ssh,http,smtp,389,8010,ftp,imap,imaps - all > > to send all this traffic on to the 10.0.0.2 dmz machine. Should I add all > those 400 ports?? Or can I use something like "50000-50400" or another > abreviation? >You actually don''t have to do any of these things with Shorewall in order for passive FTP to work. If you are using a modular kernel, just be sure that the ip_conntrack_ftp modules is being loaded and passive FTP will "just work". -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
--On Saturday, December 21, 2002 2:15 PM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > > --On Saturday, December 21, 2002 11:08 PM +0100 Harry Westerman > <hwesterman@cistron.nl> wrote: > >> How do I do this? In my rules file is now something like: >> >> ACCEPT net dmz:10.0.0.2 tcp >> ssh,http,smtp,389,8010,ftp,imap,imaps - all >> >> to send all this traffic on to the 10.0.0.2 dmz machine. Should I add all >> those 400 ports?? Or can I use something like "50000-50400" or another >> abreviation? >> > > You actually don''t have to do any of these things with Shorewall in order > for passive FTP to work. > > If you are using a modular kernel, just be sure that the ip_conntrack_ftp > modules is being loaded and passive FTP will "just work".If you ever do need to specify a port range however, check http://shorewall.sf.net/configuration_file_basics.htm under the heading "Port Ranges". -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Hi Tom! Thanks for you quick answer (as always). Didn''t know that ip_conntrack_ftp did all that. But my other question? Is there a way to enter ranges of ports with a - in the middle ? I use MLDonkey on my firewall, with a client on my XP machine in the loc zone. So I entered this in the rules file: # mldonkey gui ACCEPT loc $FW tcp 4001 ACCEPT vpn $FW tcp 4001 ACCEPT net $FW tcp 4660,4661,4662,4663,4664,4665,4666,4667,4668,4669,4670,5036,18900,2754 ACCEPT net $FW udp 4666,4667,4668,4669,4670,4671,4672,4673,4674,4675,4676,18900,2754 As you would imagine, I wanted to say that the port 4660 until 4670 are to be ACCEPTed :-) Is this the only way at the moment? Greetings! Harry Westerman> You actually don''t have to do any of these things with Shorewall in order > for passive FTP to work.
Hi Harry, Am Sam, 2002-12-21 um 23.22 schrieb Harry Westerman:> [...] > As you would imagine, I wanted to say that the port 4660 until 4670 are to > be ACCEPTed :-) Is this the only way at the moment?you just can write 4660:4670 so that one of your rules would look like this for example: ACCEPT net $FW tcp 4660:4670,5036,18900 Greets Dennis -- Dennis Borngraeber "One geek to rule them all, one geek to find them. One geek to bring them all, and in the darkness... frag them."
--On Sunday, December 22, 2002 12:25:54 AM +0100 Dennis Borngraeber <dennis@borngraeber.net> wrote:> Hi Harry, > > Am Sam, 2002-12-21 um 23.22 schrieb Harry Westerman: >> [...] >> As you would imagine, I wanted to say that the port 4660 until 4670 are >> to be ACCEPTed :-) Is this the only way at the moment? > > you just can write 4660:4670 so that one of your rules would look like > this for example: > > ACCEPT net $FW tcp 4660:4670,5036,18900 >If you set MULTIPORT=Yes in shorewall.conf however then it is better to write this as two rules: ACCEPT net $FW tcp 4660:4670 ACCEPT net $FW tcp 5036,18900 Port ranges can''t be included in a multiport list so when Shorewall sees the list as you wrote it, it generates three rules: ACCEPT net $FW tcp 4660:4670 ACCEPT net $FW tcp 5036 ACCEPT net $FW tcp 18900 The way that I wrote it, there are only two rules generated (the second uses multiport). So by breaking your rule into two rules, you will end up with one less iptables rule. There is a new multiport-like facility in the NetFilter Patch-o-matic patch set that allows port ranges in a port list. If and when that facility is available in Linus''s kernels, I will add support in Shorewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Hi Tom, Am Son, 2002-12-22 um 02.29 schrieb Tom Eastep:> If you set MULTIPORT=Yes in shorewall.conf however then it is better to > write this as two rules: > > ACCEPT net $FW tcp 4660:4670 > ACCEPT net $FW tcp 5036,18900 > > Port ranges can''t be included in a multiport list so when Shorewall sees > the list as you wrote it, it generates three rules: > > ACCEPT net $FW tcp 4660:4670 > ACCEPT net $FW tcp 5036 > ACCEPT net $FW tcp 18900 > > The way that I wrote it, there are only two rules generated (the second > uses multiport). > > So by breaking your rule into two rules, you will end up with one less > iptables rule. > > There is a new multiport-like facility in the NetFilter Patch-o-matic patch > set that allows port ranges in a port list. If and when that facility is > available in Linus''s kernels, I will add support in Shorewall.Thanks for this tip, didn''t know that it is this way! Dennis -- Dennis Borngraeber If windows is the solution, can we please have the problem back.