Christian Schneider
2003-Mar-27 08:58 UTC
[Shorewall-users] Questions about ALLOWRELATED and active/passive FTP
Hi, I have a few questions about shorewall. I use a linux server (net and loc interface) with shorewall 1.3.14 as a gateway for a local network to be able to connect to the internet. loc is masqueraded through the net interface of the server. I have to set special rules to allow connections from loc to net (as there is no policy "loc net ACCEPT", loc to net connections are rejected without setting special rules). I want to use a ftp client (loc) to connect to a ftp server (net). My questions: 1.) Is both active and passive ftp possible? (If yes: Are there any special rules to be set for active ftp? or Do I have to pay attention to anything?) 2.) I tried the rule "ACCEPT loc net tcp 21" and the ftp client (passive mode) worked - I was able to download files from a ftp server, although there were no rules set for ftp data connections. I think that the reason is the variable "ALLOWRELATED=Yes" in the shorewall.conf file. What does "ALLOWRELATED" do _exactly_ (with the ftp as well as with other protocols)? Is the rule mentioned above really the only rule which is needed for ftp connections from loc to net or should I set further rules? As shorewall 1.4.0 works like 1.3.14 with "ALLOWRELATED=Yes" this question is interesting for the new shorewall version, too. Thank you very much for your help. Cheers, Christian
Tom Eastep
2003-Mar-27 09:06 UTC
[Shorewall-users] Questions about ALLOWRELATED and active/passive FTP
On Thu, 27 Mar 2003, Christian Schneider wrote:> Hi, > > I have a few questions about shorewall. I use a linux server (net and loc > interface) with shorewall > 1.3.14 as a gateway for a local network to be able to connect to the > internet. loc is masqueraded through the net > interface of the server. I have to set special rules to allow connections > from loc to net (as there is no policy "loc net ACCEPT", loc to net > connections are rejected without setting special rules). > I want to use a ftp client (loc) to connect to a ftp server (net). My > questions: > > 1.) Is both active and passive ftp possible?Yes. (If yes: Are there any special> rules to be set for active ftp? or Do I have to pay attention to anything?) >No.> 2.) I tried the rule "ACCEPT loc net tcp 21" and the ftp client (passive > mode) > worked - I was able to download files from a ftp server, although there were > no rules set for ftp data connections.Yes. That''s the way that netfilter works. I think> that the reason is the variable "ALLOWRELATED=Yes" in the shorewall.conf > file. What does "ALLOWRELATED" do _exactly_ (with the ftp as well as with > other protocols)? Is the rule mentioned above really the only rule which is > needed for ftp connections from loc to net or should I set further rules? > As shorewall 1.4.0 works like 1.3.14 with "ALLOWRELATED=Yes" this question > is interesting for the new shorewall version, too. >Christian -- to answer your last question with any detail would require that I reproduce most of the Netfilter documentation concerning connection tracking and "RELATED" connections. I therefore suggest that you look at the documentation on the netfilter site (http://www.netfilter.org). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net