Using shorewall 1.4.8 Two interface. Also using NAT Rules ACCEPT loc fw tcp 21 ACCEPT fw loc tcp 21 When I try ftp to my firewall internally 10.10.1.3 from 10.10.1.1 using PASSIVE and Passive OFF, I get: Connecting to 10.10.1.3, Port 21 (#1) Connected. Waiting for response. 220 Welcome to Cobra FTP Server. USER xxxxxx 331 Please specify the password. PASS xxxxxx 230 Login successful. SYST 215 UNIX Type: L8 REST 100 350 Restart position accepted (100). REST 0 350 Restart position accepted (0). PWD 257 "/xxxxx" TYPE A 200 Switching to ASCII mode. PASV 227 Entering Passive Mode (10,10,1,3,76,120) ERROR: [Data]: Connection refused PASSIVE OFF : Connecting to 10.10.1.3, Port 21 (#1) Connected. Waiting for response. 220 Welcome to Cobra FTP Server. USER xxxxxx 331 Please specify the password. PASS xxxxxx 230 Login successful. SYST 215 UNIX Type: L8 REST 100 350 Restart position accepted (100). REST 0 350 Restart position accepted (0). PWD 257 "/xxxxxxx" TYPE A 200 Switching to ASCII mode. PORT 10,10,1,1,5,172 200 PORT command successful. Consider using PASV. LIST -al 425 Failed to establish connection. _________________________________________________________________ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
On Tuesday 06 January 2004 08:09 am, P Hennessy wrote:> Using shorewall 1.4.8 Two interface. > Also using NAT > Rules > ACCEPT loc fw tcp 21 > ACCEPT fw loc tcp 21 > > When I try ftp to my firewall internally 10.10.1.3 from 10.10.1.1 using > PASSIVE and Passive OFF,Are you running Mandrake with "Internet Connection Sharing"? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
--- P Hennessy <paddy667@hotmail.com> wrote: That has ftp server configuration/connection rules issue written all over it. I''m able to FTP from: fw to dmz loc to dmz dmz to loc It seems obvious that you can actually make the connection so shorewall isn''t stopping that from happening. Just in case though, try acouple things to fully rule it out as well as your netfilter modes. This is what I would do. First find an ftp site out on the internet that you can ftp too from a ftp client running on the same machine that the ftp server is installed on. Passive and Active. Do this both form the loc zone as well as from the fw itself. What kind of results do you get? Then this below: Log your "ACCEPT lines via" Rules file: ACCEPT:info loc fw tcp 21 ACCEPT:info fw loc tcp 21 shorewall stop shorewall start shorewall logwatch Do your same ftp tests again and then watch the output produced by the "shorewall logwatch" command. If you can ftp throught the fw, from loc, to the internet and you only see "accept''s" in logwatch when testing internally then you can feel confident that you need to look at how the FTP server has its rules configured. There''s lots of things that can be configured on an FTP server security wise that will cause connectivity issues. If it isn''t server configuration error and shorewall appears to pass FTP connections internally and exterally then I would say: Have fun tracking down what the problem is. :P Then it would sound like you have some kind of bug. Hope that helps a little bit. Joshua Banks __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus
On Tuesday 06 January 2004 10:54 am, Joshua Banks wrote:> > Hope that helps a little bit. >This problem was resolved off-line -- the ip_conntrack_ftp module wasn''t loaded. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net