Hello, I am using Redhat 9.0 Shorewall 1.4.6a 2 Interface setup. And NAT. Shorewall Policy: loc net ACCEPT fw net ACCEPT net all DROP info all all REJECT info When I try to ftp to an External IP on port 31, from an of the PC on the lan I just get, "Connecting to xxx.xxx.xxx.xxx, Port 31. Connected, Waiting for response." But if I try it from the gateway firewall PC where shorewall is running it connects fine. Thank you. P. Hennessy _________________________________________________________________ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
On Wed, 2003-09-17 at 11:08, P Hennessy wrote:> Hello, > > I am using Redhat 9.0 > Shorewall 1.4.6a > 2 Interface setup. > And NAT. > > Shorewall Policy: > loc net ACCEPT > fw net ACCEPT > net all DROP info > all all REJECT info > > When I try to ftp to an External IP on port 31, from an of the PC on the lan > I just get, > "Connecting to xxx.xxx.xxx.xxx, Port 31. Connected, Waiting for response." > > But if I try it from the gateway firewall PC where shorewall is running it > connects fine. >This is FAQ #29!!!! -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
This is not connecting to any of my pc''s. It is ftping to an external IP on the internet. Every other IP I ftp to, using other ports than 31 works fine.>From: Tom Eastep <teastep@shorewall.net> >Reply-To: Shorewall Users Mailing List ><shorewall-users@lists.shorewall.net> >To: Shorewall Users Mailing List <shorewall-users@lists.shorewall.net> >Subject: Re: [Shorewall-users] FTP connection problem >Date: 17 Sep 2003 11:11:05 -0700 > >On Wed, 2003-09-17 at 11:08, P Hennessy wrote: > > Hello, > > > > I am using Redhat 9.0 > > Shorewall 1.4.6a > > 2 Interface setup. > > And NAT. > > > > Shorewall Policy: > > loc net ACCEPT > > fw net ACCEPT > > net all DROP info > > all all REJECT info > > > > When I try to ftp to an External IP on port 31, from an of the PC on the >lan > > I just get, > > "Connecting to xxx.xxx.xxx.xxx, Port 31. Connected, Waiting for >response." > > > > But if I try it from the gateway firewall PC where shorewall is running >it > > connects fine. > > > >This is FAQ #29!!!! > >-Tom >-- >Tom Eastep \ Shorewall - iptables made easy >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm_________________________________________________________________ Use custom emotions -- try MSN Messenger 6.0! http://www.msnmessenger-download.com/tracking/reach_emoticon
On Wed, 2003-09-17 at 11:36, P Hennessy wrote:> This is not connecting to any of my pc''s. It is ftping to an external IP on > the internet. > Every other IP I ftp to, using other ports than 31 works fine.Follow the link in FAQ #29 and READ!!!!!!!!!!!!!!!! -tOM -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I read FAQ #29 and it doesnt seem to have anything to do with want I am asking. The ftp server is not at my end. I am trying to connect to a ftp server on the internet which has nothing to do with me. I can connect to it from the firewall gateway pc where shorewall is running. But I can not connect to it from any other pc on my lan. If the firewall can connect to it, why cant any other pc. ip_nat_ftp, and ip_conntrack_ftp are running>From: Tom Eastep <teastep@shorewall.net> >Reply-To: Shorewall Users Mailing List ><shorewall-users@lists.shorewall.net> >To: Shorewall Users Mailing List <shorewall-users@lists.shorewall.net> >Subject: Re: [Shorewall-users] FTP connection problem >Date: 17 Sep 2003 11:40:18 -0700 > >On Wed, 2003-09-17 at 11:36, P Hennessy wrote: > > This is not connecting to any of my pc''s. It is ftping to an external IP >on > > the internet. > > Every other IP I ftp to, using other ports than 31 works fine. > >Follow the link in FAQ #29 and READ!!!!!!!!!!!!!!!! > >-tOM >-- >Tom Eastep \ Shorewall - iptables made easy >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm_________________________________________________________________ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
On Wed, 2003-09-17 at 12:03, P Hennessy wrote:> I read FAQ #29 and it doesnt seem to have anything to do with want I am > asking. > The ftp server is not at my end. I am trying to connect to a ftp server on > the internet which has nothing to do with me. > I can connect to it from the firewall gateway pc where shorewall is running. > But I can not connect to it from any other pc on my lan. > If the firewall can connect to it, why cant any other pc. > > ip_nat_ftp, and ip_conntrack_ftp are running >I can lead you to the water -- I can''t make you drink. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wed, 2003-09-17 at 12:14, Tom Eastep wrote:> On Wed, 2003-09-17 at 12:03, P Hennessy wrote: > > I read FAQ #29 and it doesnt seem to have anything to do with want I am > > asking. > > The ftp server is not at my end. I am trying to connect to a ftp server on > > the internet which has nothing to do with me. > > I can connect to it from the firewall gateway pc where shorewall is running. > > But I can not connect to it from any other pc on my lan. > > If the firewall can connect to it, why cant any other pc. > > > > ip_nat_ftp, and ip_conntrack_ftp are running > > > > I can lead you to the water -- I can''t make you drink. >I''ve updated http://shorewall.net/FTP.html to make the relevant text BOLD and I have made the text even more explicit. Hopefully now you can find it... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
It doesnt get as far as ---> PASV 227 Entering Passive Mode ------------------------------------------------------------------------------ For example, if you run an FTP server that listens on port 49 or you need to access a server on the internet that listens on that port then you would have: I am not running the FTP SERVER. I am the client. ------------------------------------------------------------------------------- I also have these ip_nat_ftp 4112 0 (unused) ip_conntrack_irc 4112 1 ip_conntrack_ftp 5296 2 -------------------------------------------------------------------- When I connect to it from a lan pc I only get "Connecting to xxx.xxx.xxx.xxx, Port 31. Connected, Waiting for response." Nothing else. -------------------------------------------------------------------------- When I connect from the firewall gateway pc I get Connected to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx). 220-This server is for private use only 220-If you do not have access to this server 220-Please disconnect now 220 Please enter your login name now. -------------------------------------------------------------------------->From: Tom Eastep <teastep@shorewall.net> >Reply-To: Shorewall Users Mailing List ><shorewall-users@lists.shorewall.net> >To: Shorewall Users Mailing List <shorewall-users@lists.shorewall.net> >Subject: Re: [Shorewall-users] FTP connection problem >Date: 17 Sep 2003 12:20:29 -0700 > >On Wed, 2003-09-17 at 12:14, Tom Eastep wrote: > > On Wed, 2003-09-17 at 12:03, P Hennessy wrote: > > > I read FAQ #29 and it doesnt seem to have anything to do with want I >am > > > asking. > > > The ftp server is not at my end. I am trying to connect to a ftp >server on > > > the internet which has nothing to do with me. > > > I can connect to it from the firewall gateway pc where shorewall is >running. > > > But I can not connect to it from any other pc on my lan. > > > If the firewall can connect to it, why cant any other pc. > > > > > > ip_nat_ftp, and ip_conntrack_ftp are running > > > > > > > I can lead you to the water -- I can''t make you drink. > > > >I''ve updated http://shorewall.net/FTP.html to make the relevant text >BOLD and I have made the text even more explicit. Hopefully now you can >find it... > >-Tom >-- >Tom Eastep \ Shorewall - iptables made easy >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm_________________________________________________________________ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus
On Wed, 2003-09-17 at 13:00, P Hennessy wrote: I give up..... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Robert Coffman - Info From Data Corporation
2003-Sep-17 13:33 UTC
[Shorewall-users] FTP connection problem
Phil, Stop. Read it very carefully. You are missing it because you have a preconceived notion of what it says. Read it again. Apologize to Tom. - Bob Coffman -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of P Hennessy Sent: Wednesday, September 17, 2003 4:00 PM To: shorewall-users@lists.shorewall.net Subject: Re: [Shorewall-users] FTP connection problem It doesnt get as far as ---> PASV 227 Entering Passive Mode ---------------------------------------------------------------------------- -- For example, if you run an FTP server that listens on port 49 or you need to access a server on the internet that listens on that port then you would have: I am not running the FTP SERVER. I am the client. ---------------------------------------------------------------------------- --- I also have these ip_nat_ftp 4112 0 (unused) ip_conntrack_irc 4112 1 ip_conntrack_ftp 5296 2 -------------------------------------------------------------------- When I connect to it from a lan pc I only get "Connecting to xxx.xxx.xxx.xxx, Port 31. Connected, Waiting for response." Nothing else. -------------------------------------------------------------------------- When I connect from the firewall gateway pc I get Connected to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx). 220-This server is for private use only 220-If you do not have access to this server 220-Please disconnect now 220 Please enter your login name now. -------------------------------------------------------------------------->From: Tom Eastep <teastep@shorewall.net> >Reply-To: Shorewall Users Mailing List ><shorewall-users@lists.shorewall.net> >To: Shorewall Users Mailing List <shorewall-users@lists.shorewall.net> >Subject: Re: [Shorewall-users] FTP connection problem >Date: 17 Sep 2003 12:20:29 -0700 > >On Wed, 2003-09-17 at 12:14, Tom Eastep wrote: > > On Wed, 2003-09-17 at 12:03, P Hennessy wrote: > > > I read FAQ #29 and it doesnt seem to have anything to do with want I >am > > > asking. > > > The ftp server is not at my end. I am trying to connect to a ftp >server on > > > the internet which has nothing to do with me. > > > I can connect to it from the firewall gateway pc where shorewall is >running. > > > But I can not connect to it from any other pc on my lan. > > > If the firewall can connect to it, why cant any other pc. > > > > > > ip_nat_ftp, and ip_conntrack_ftp are running > > > > > > > I can lead you to the water -- I can''t make you drink. > > > >I''ve updated http://shorewall.net/FTP.html to make the relevant text >BOLD and I have made the text even more explicit. Hopefully now you can >find it... > >-Tom >-- >Tom Eastep \ Shorewall - iptables made easy >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm_________________________________________________________________ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Wed, 2003-09-17 at 13:00, P Hennessy wrote:> It doesnt get as far as > ---> PASV > 227 Entering Passive Mode > ------------------------------------------------------------------------------ > > For example, if you run an FTP server that listens on port 49 or you need to > access a server on the internet that listens on that port then you would > have: > > I am not running the FTP SERVER. I am the client.Read the above ONE MORE TIME -- it says "...or you need to access a server on the internet that listens on that port...". Trust me -- to get this to work for active mode FTP you are going to have to specify port 31 to the FTP helper modules regardless of how stubbornly you refuse to correctly read the paragraph that contains the above text.> ------------------------------------------------------------------------------- > > I also have these > ip_nat_ftp 4112 0 (unused) > ip_conntrack_irc 4112 1 > ip_conntrack_ftp 5296 2 > -------------------------------------------------------------------- > > > When I connect to it from a lan pc I only get > > "Connecting to xxx.xxx.xxx.xxx, Port 31. Connected, Waiting for response." > Nothing else.a) Are you seeing any Shorewall messages when you try this. b) Have you considered following the instructions at http://shorewall.net/support.htm that begin "This is Important!" (in bold red font). c) You may have to use tcpdump to see what is really happening tcpdump -Xs 2048 -ni <external iface> host xxx.xxx.xxx.xxx -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wed, 17 Sep 2003 20:00:20 +0000 "P Hennessy" <paddy667@hotmail.com> wrote:> "Connecting to xxx.xxx.xxx.xxx, Port 31. Connected, Waiting for > response."This line has been quoted as "porn" by my anti-spam filter ;-) ----------------------------------------------------------- INSTITUT DALLE MOLLE D''INTELLIGENCE ARTIFICIELLE PERCEPTIVE . __ . ___ __ | Norbert Crettol / / ` / / / / / | System Engineer / / / / /--/ /-- | Tel:++41-27-721.77.25 / /__.'' / / / / | Fax:++41-27-721.77.12 | email : norbert.crettol@idiap.ch Rue du Simplon 4-CP 592 | CH-1920 Martigny | http://www.idiap.ch --------------------------------------------------------
On Thu, 18 Sep 2003, Norbert Crettol wrote:> On Wed, 17 Sep 2003 20:00:20 +0000 > "P Hennessy" <paddy667@hotmail.com> wrote: > > > "Connecting to xxx.xxx.xxx.xxx, Port 31. Connected, Waiting for > > response." > > This line has been quoted as "porn" by my anti-spam filter ;-) >Then you have the world''s stupidest anti-spam filter :-) -- Seriously, check out SpamAssassin. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net