Using Mandrake 9.2, shorewall 1.4.6c. Everything was working fine until one of the web servers I manage content for (my astronomy club, http://www.starastronomy.org) was "upgraded" to the newset win2K. All of a sudden I can FTP into the machine, but I can''t "ls" or "put" files. I *can* do these things if I turn off my policy of "DROP" for net to fw conncetions, and and *can* do every FTP command to every other machine, just not this one. I can''t for the life of me figure out why this doesn''t match my rule. Here''s what shorewall says on startup: ... Processing /etc/shorewall/rules... Rule "ACCEPT net fw tcp 80,443,22,20,21 -" added. Processing /etc/shorewall/policy... Policy ACCEPT for fw to net using chain fw2net Policy DROP for net to fw using chain net2all ... and when I FTP and try an "ls", shorewall logs: Shorewall:net2all:DROP:IN=eth0 OUTMAC=00:b0:d0:e7:64:8a:00:20:78:db:5c:c7:08:00 SRC=64.19.189.166 DST=192.168.1.102 LEN=48 TOS=0x08 PREC=0x00 TTL=114 ID=59474 DF PROTO=TCP SPT=20 DPT=35643 WINDOW=16384 RES=0x00 SYN URGP=0 I''d appreciate any help or pointers. I didn''t find anything in the FAQ or archives that helped me. I am not subscribed to this list, so please CC me on responses. Thank you. -- Michael Lindner
On Sat, 29 Nov 2003 mikel@att.net wrote:> I''d appreciate any help or pointers. I didn''t find anything in the FAQ or > archives that helped me.Then look again -- I think you will find that FAQ 29 will solve your problem if you will only read all of the answer. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2003-11-28 at 17:51, mikel@att.net wrote:> Using Mandrake 9.2, shorewall 1.4.6c. Everything was working fine until one of > the web servers I manage content for (my astronomy club, > http://www.starastronomy.org) was "upgraded" to the newset win2K. All of a > sudden I can FTP into the machine, but I can''t "ls" or "put" files. I *can* do > these things if I turn off my policy of "DROP" for net to fw conncetions, and > and *can* do every FTP command to every other machine, just not this one. I > can''t for the life of me figure out why this doesn''t match my rule. Here''s > what shorewall says on startup: > > ... > Processing /etc/shorewall/rules... > Rule "ACCEPT net fw tcp 80,443,22,20,21 -" added. > Processing /etc/shorewall/policy... > Policy ACCEPT for fw to net using chain fw2net > Policy DROP for net to fw using chain net2all > ... > > and when I FTP and try an "ls", shorewall logs: > > Shorewall:net2all:DROP:IN=eth0 OUT> MAC=00:b0:d0:e7:64:8a:00:20:78:db:5c:c7:08:00 SRC=64.19.189.166 > DST=192.168.1.102 LEN=48 TOS=0x08 PREC=0x00 TTL=114 ID=59474 DF PROTO=TCP > SPT=20 DPT=35643 WINDOW=16384 RES=0x00 SYN URGP=0Your rule matches *destination port 20* -- the packet being rejected has *source port 20*> > I''d appreciate any help or pointers. I didn''t find anything in the FAQ or > archives that helped me. I am not subscribed to this list, so please CC me on > responses. Thank you.I suggest that you look very carefully at the answer to FAQ #29 -- I believe that you will find the solution to your problem there. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Duh! Thanks very much for your help, and sorry to waste bandwidth on my mistake. -- Michael Lindner> On Fri, 2003-11-28 at 17:51, mikel@att.net wrote: > Your rule matches *destination port 20* -- the packet being rejected has > *source port 20*