Hello, I can''t transfer data by FTP. I explain: I''ve installed Shorewall on a mandrake distribution (mdk9.1) and I''ve also installed an FTP server on the same machine. For a good while it was ok, I could make FTP exchange between my workstation on the local network and the FW/Proftpd. But today (and I don''t know exatcly why), I can connect to FTP server but I can''t retrieve/send any file. If I watch traces in /var/log/messages, I can see there are REJECT actions from Shorewall: Nov 28 19:27:00 webser kernel: Shorewall:all2all:REJECT:IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=192.168.0.15 DST=192.168.0.10 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=50863 DF PROTO=TCP SPT=1214 DPT=48161 WINDOW=65535 RES=0x00 SYN URGP=0 Nov 28 19:27:01 webser kernel: Shorewall:all2all:REJECT:IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=192.168.0.15 DST=192.168.0.10 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=50882 DF PROTO=TCP SPT=1214 DPT=48161 WINDOW=65535 RES=0x00 SYN URGP=0 Nov 28 19:27:01 webser kernel: Shorewall:all2all:REJECT:IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=192.168.0.15 DST=192.168.0.10 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=50887 DF PROTO=TCP SPT=1214 DPT=48161 WINDOW=65535 RES=0x00 SYN URGP=0 I have shorewall 1.4.6c version 192.168.0.10 is the FW/FTP server 192.168.0.15 is the workstation I still have the "ACCEPT ftp" rule configured and I access to the FTP server with the PASV mode. I haven''t found any response in the archives... Any idea why this doesn''t work anymore? thank you. Laurent
On Fri, 2003-11-28 at 11:03, Laurent Barbareau wrote:> > Any idea why this doesn''t work anymore? >Mandrake recently changed their naming convention for modules -- you must be running Shorewall 1.4.8 if you want Shorewall to automatically load modules such at the FTP helpers. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2003-11-28 at 11:06, Tom Eastep wrote:> On Fri, 2003-11-28 at 11:03, Laurent Barbareau wrote: > > > > > Any idea why this doesn''t work anymore? > > > > Mandrake recently changed their naming convention for modules -- you > must be running Shorewall 1.4.8 if you want Shorewall to automatically > load modules such at the FTP helpers.Make that Shorewall 1.4.7. And if you would have looked at FAQ #29 ("FTP doesn''t work"), you would have found this information. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I need to add the following information to my shorewall configuration. I wonder if my adjustments to the ''rule'' file are correct. Could someone please comment. Allow UDP (source port any, destination ports 5198-5199) from Internet to PC Allow UDP (source port any, destination ports 5198-5199) from PC to Internet Allow TCP (source port any, destination port 5200) from PC to Internet I amended my ''rules'' file to contain the following new information. accept loc net udp 5198,5199 accept net net udp 5198,5199 accept loc net tcp 5200 --- Ted Gervais, Coldbrook, Nova Scotia, Canada
On Fri, 2003-11-28 at 11:53, Ted Gervais wrote:> I need to add the following information to my shorewall configuration. I > wonder if my adjustments to the ''rule'' file are correct. > Could someone please comment. > > > Allow UDP (source port any, destination ports 5198-5199) from Internet to PC > Allow UDP (source port any, destination ports 5198-5199) from PC to Internet > Allow TCP (source port any, destination port 5200) from PC to InternetWhich PC? The PC that the firewall is running on? A PC behind the firewall? The PC over at your neighbor''s house?> > I amended my ''rules'' file to contain the following new information. > > accept loc net udp 5198,5199 > accept net net udp 5198,5199 > accept loc net tcp 5200a) "accept" isn''t a valid disposition -- "ACCEPT" is. b) If the "PC" in question is behind your firewall and you have the default loc->net policy of ACCEPT then your loc->net rules are just extra nonsense. c) You show a "net->net" rule -- I haven''t a clue what that''s about. I suspect that you really wanted a DNAT rule for UDP ports 5198:5199 -- see FAQs 1 and 30. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Sorry Tom for being a little short with my question. I tried to keep it short to be more to the point but I guess sometimes that can be the wrong thing. What I have is an application I want to run on my Windows machine . It is called echolink. My setup is a Linux machine as my router/firewall, from which I have two windows machines that make up my lan. Here is an additional statement that covers what has to be done. The summary I initially gave was a condensed version of the following. EchoLink requires that your router or firewall allow inbound and outbound UDP to destination ports 5198 and 5199, and outbound TCP to port 5200. Source ports are dynamically assigned. If you are using a home-network router, you will also need to configure the router to "forward" UDP ports 5198 and 5199 to the PC on which EchoLink is running. At 12:10 PM 11/28/2003 -0800, you wrote:>On Fri, 2003-11-28 at 11:53, Ted Gervais wrote: > > I need to add the following information to my shorewall configuration. I > > wonder if my adjustments to the ''rule'' file are correct. > > Could someone please comment. > > > > > > Allow UDP (source port any, destination ports 5198-5199) from Internet > to PC > > Allow UDP (source port any, destination ports 5198-5199) from PC to > Internet > > Allow TCP (source port any, destination port 5200) from PC to Internet > >Which PC? The PC that the firewall is running on? A PC behind the >firewall? The PC over at your neighbor''s house? > > > > > I amended my ''rules'' file to contain the following new information. > > > > accept loc net udp 5198,5199 > > accept net net udp 5198,5199 > > accept loc net tcp 5200 > > >a) "accept" isn''t a valid disposition -- "ACCEPT" is. >b) If the "PC" in question is behind your firewall and you have the >default loc->net policy of ACCEPT then your loc->net rules are just >extra nonsense. >c) You show a "net->net" rule -- I haven''t a clue what that''s about. I >suspect that you really wanted a DNAT rule for UDP ports 5198:5199 -- >see FAQs 1 and 30. > >-Tom >-- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net > > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm--- Ted Gervais, Coldbrook, Nova Scotia, Canada
Thank you Tom. I''ve updated to 1.4.8 and now it works (not easy with a bugging ftp client ;-) )... I hope it is not just a coincidence. Now I have ip_nat_ftp and ip_conntrack_ftp modules loaded (after a reboot only), they were not before. Laurent.> Make that Shorewall 1.4.7. And if you would have looked at FAQ #29 ("FTP > doesn''t work"), you would have found this information. > > -Tom
On Fri, 28 Nov 2003, Ted Gervais wrote:> > > Sorry Tom for being a little short with my question. I tried to keep it > short to be more to the point but I guess sometimes that can be the wrong > thing. What I have is an application I want to run on my Windows machine > . It is called echolink. My setup is a Linux machine as my > router/firewall, from which I have two windows machines that make up my lan. >Then you are going to have to pick one of them to run echolink.> Here is an additional statement that covers what has to be done. The > summary I initially gave was a condensed version of the following. > > > EchoLink requires that your router or firewall allow inbound and outbound > UDP to destination ports 5198 and 5199, and outbound TCP to port > 5200. Source ports are dynamically assigned. If you are using a > home-network router, you will also need to configure the router to > "forward" UDP ports 5198 and 5199 to the PC on which EchoLink is running. >Ok -- go ahead and forward those ports. FAQ #1 tells you everything you need to know. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom. I set up a DNAT statement just like it suggested in faq#1 and all is working well. Thanks for your patience and assistance. It is greatly appreciated. At 04:19 PM 11/28/2003 -0800, you wrote:>On Fri, 28 Nov 2003, Ted Gervais wrote: > > > > > > > Sorry Tom for being a little short with my question. I tried to keep it > > short to be more to the point but I guess sometimes that can be the wrong > > thing. What I have is an application I want to run on my Windows machine > > . It is called echolink. My setup is a Linux machine as my > > router/firewall, from which I have two windows machines that make up my > lan. > > > >Then you are going to have to pick one of them to run echolink. > > > Here is an additional statement that covers what has to be done. The > > summary I initially gave was a condensed version of the following. > > > > > > EchoLink requires that your router or firewall allow inbound and outbound > > UDP to destination ports 5198 and 5199, and outbound TCP to port > > 5200. Source ports are dynamically assigned. If you are using a > > home-network router, you will also need to configure the router to > > "forward" UDP ports 5198 and 5199 to the PC on which EchoLink is running. > > > >Ok -- go ahead and forward those ports. > >FAQ #1 tells you everything you need to know. > >-Tom >-- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm--- Ted Gervais, Coldbrook, Nova Scotia, Canada