Shorewall users - Oct 2004 - fxp initiated behind shorewall

Okay, no one had any idea concerning my Radmin question, which I still
haven''t figured out.  However, I am now trying to figure out an FXP
problem.
All of the needed details are listed below the description problem.

Problem:

I have a local windows XP pro computer running FlashFXP behind shorewall
2.0.9 (unpatched) with only two interfaces (ppp0 and eth1) as
loc:192.168.1.5.  The server is glftpd and runs on the same computer as
shorewall.  When I initiate an FXP transfer from a server outside the
firewall to my server behind the firewall, I am getting a dupe error saying
that I have duped myself.  Is there a rule or policy which eliminates the
oddity?  I know the file was never added.  (Of course, I am also having
speed ramping problems since installing shorewall 2.0.9)  I have read the
shorewall documents and searched several places for FXP problems and FTP
problems, but I haven''t found a solution.


needed information:

[root@arienb root]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:20:ed:76:dc:82 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:90:cc:82:50:16 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1454 qdisc pfifo_fast qlen 3
    link/ppp
    inet 220.144.146.14 peer 210.151.255.103/32 scope global ppp0

[root@arienb root]# ip route show
210.151.255.103 dev ppp0  proto kernel  scope link  src 220.xxx.xxx.xxx
(deleted by me)
192.168.1.0/24 dev eth1  scope link
169.254.0.0/16 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via 210.151.255.103 dev ppp0

shorewall policies:

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
loc             net             ACCEPT  -
$FW             net             ACCEPT  -
#
# THE FOLLOWING POLICY MUST BE LAST
#
$FW             loc             ACCEPT  -
loc             $FW             ACCEPT  -
net             all             DROP            info
all             all             DROP            info
#LAST LINE -- DO NOT REMOVE


shorewall rules:

#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL
RATE            USER/
#                                               PORT    PORT(S)    DEST
LIMIT           GROUP
ACCEPT  all             $FW             tcp     22
ACCEPT  all             $FW             tcp     10101  #glftpd server port
ACCEPT  all             $FW             tcp     113
ACCEPT  net             $FW             tcp     53
ACCEPT  net             $FW             udp     53
ACCEPT  all             $FW             tcp     25000:60000 #needed for TLS
passive connections

DNAT    net             loc:192.168.1.5 tcp     90  #htthost - httport
connection port
DNAT    net             loc:192.168.1.5 tcp     4662
DNAT    net             loc:192.168.1.5 udp     8930
DNAT    net             loc:192.168.1.5 tcp     1024:5000 #irc passive ports
(irc modules are loaded, but don''t work)
#RADMIN
DNAT    net             loc:192.168.1.5 tcp     4899  #Radmin port

#Sserver
DNAT    net             loc:192.168.1.55        tcp     80 #basic Mac web
server

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian wrote:
> Okay, no one had any idea concerning my Radmin question, which I still
> haven''t figured out.
Frankly, I didn''t see a Radmin problem report from you that gave me
enough information to even hazard a guess as to what your problem was,
let alone what the cause might be.  You mentioned httport and htthost
but from the information that you gave us, I couldn''t have drawn a
topological diargram of the hosts involved if my life depended on it.
> (Of course, I am also having
> speed ramping problems since installing shorewall 2.0.9)  I have read the
> shorewall documents and searched several places for FXP problems and FTP
> problems, but I haven''t found a solution.
Sounds like you made a poor decision to replace your previous Corega
router with a Linux box -- I personally would go back if I were you
because if this is the attitude that you are going to take when asking
for free help with a free product, I think you will be much happier
paying to get your questions answered.

- -Tom

PS -- as you your FXP problem, as far as I know there are no current
patches to Netfilter to handle FXP. There have been some submitted in
the past but they all opened gaping security holes. If you do a Google
search of "iptables nat fxp" you might find something you can use.
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBZ1UqO/MAbZfjDLIRAocrAJwKS/AlD6dWHHto5nmjg9ck5HN1dQCeLB2o
awS6ZGPgZq94jhYvrbRIvWs=JAbS
-----END PGP SIGNATURE-----

Sorry if I seemed rude!  I was more frustrated that I couldn''t find
anything
to help me out, and my "mouth" has always gotten the better of me.  I
had to
replace the Corega because it had a melt down and no commercial router that
I could get in Japan seems to work for a Mac, Windows and Linux all at one
time.  It has been a very expensive trip to get to Shorewall.

I didn''t know how to explain the radmin situation better than I did. 
In
essence, my university uses a proxy server on port 8080 and blocks all TCP
connections.  So from behind the proxy, initiate a tunnel through the proxy
server and connects to my windows machine behind Shorewall on port 90.
This, I guess, then interprets the TCP information and sends it to the
proper place.  The tunnel works because I am able to initiate a SSH
connection via the tunnel on port 22 and I can connect to my glftpd server
on port 10101. Actually the only thing that stopped working was Radmin.

SSH uses 127.0.0.1 ->httport (which has my no-ip dns address in it and port
22) -> proxy server (port 8080) ->Shorewall (port 90)-> htthost ->
no-ip ->
back to linux box port 22.

The other services like Radmin (port 4899) work the same way.

Again I am truly sorry for being rude or inconsiderate of the time and
energy you have put into this.  I seem to have found all of the crazy things
at once and am desperate to understand this so that I can help myself more.

Sincerely,
Brian

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian wrote:
> Sorry if I seemed rude!  I was more frustrated that I couldn''t
find
anything
> to help me out, and my "mouth" has always gotten the better of
me.
I''ll try to help but I won''t be of much help today -- We are
on vacation
and are driving back home today.
>
> I didn''t know how to explain the radmin situation better than I
did.  In
> essence, my university uses a proxy server on port 8080 and blocks all TCP
> connections.  So from behind the proxy, initiate a tunnel through the
proxy
> server and connects to my windows machine behind Shorewall on port 90.
> This, I guess, then interprets the TCP information and sends it to the
> proper place.  The tunnel works because I am able to initiate a SSH
> connection via the tunnel on port 22 and I can connect to my glftpd server
> on port 10101. Actually the only thing that stopped working was Radmin.
>
> SSH uses 127.0.0.1 ->httport (which has my no-ip dns address in it and
port
> 22) -> proxy server (port 8080) ->Shorewall (port 90)-> htthost
->
no-ip ->
> back to linux box port 22.
>
> The other services like Radmin (port 4899) work the same way.
Do you always connect to port 90 on the Shorewall box or do you connect
to a different port for Radmin?

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBZ/JIO/MAbZfjDLIRAsYFAKDA1dxgOhYLfAE3B7toYldSdpeM3wCePh8p
eMrAWGbPD18mwkG5dTfSfio=N5Gz
-----END PGP SIGNATURE-----

Thanks Tom and sorry to disturb your vacation.

The httport always connects to htthost via port 90, but then it sends a
signal to connect to port 4899.

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Saturday, October 09, 2004 11:14 PM
Subject: Re: [Shorewall-users] fxp initiated behind shorewall

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Brian wrote:
> > Sorry if I seemed rude!  I was more frustrated that I
couldn''t find
> anything
> > to help me out, and my "mouth" has always gotten the better
of me.
>
> I''ll try to help but I won''t be of much help today -- We
are on vacation
> and are driving back home today.
> >
> > I didn''t know how to explain the radmin situation better than
I did.  In
> > essence, my university uses a proxy server on port 8080 and blocks all
TCP
> > connections.  So from behind the proxy, initiate a tunnel through the
> proxy
> > server and connects to my windows machine behind Shorewall on port 90.
> > This, I guess, then interprets the TCP information and sends it to the
> > proper place.  The tunnel works because I am able to initiate a SSH
> > connection via the tunnel on port 22 and I can connect to my glftpd
server
> > on port 10101. Actually the only thing that stopped working was
Radmin.
> >
> > SSH uses 127.0.0.1 ->httport (which has my no-ip dns address in it
and
> port
> > 22) -> proxy server (port 8080) ->Shorewall (port 90)->
htthost ->
> no-ip ->
> > back to linux box port 22.
> >
> > The other services like Radmin (port 4899) work the same way.
>
> Do you always connect to port 90 on the Shorewall box or do you connect
> to a different port for Radmin?
>
> - -Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFBZ/JIO/MAbZfjDLIRAsYFAKDA1dxgOhYLfAE3B7toYldSdpeM3wCePh8p
> eMrAWGbPD18mwkG5dTfSfio> =N5Gz
> -----END PGP SIGNATURE-----
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian wrote:
> Thanks Tom and sorry to disturb your vacation.
>
> The httport always connects to htthost via port 90, but then it sends a
> signal to connect to port 4899.
>
Then I don''t understand how the Shorewall box could possibly be the
source of the problem -- all it is seeing is a connection from httport
on tcp port 90 which it forwards to htthost.

You can confirm that the connection to port 90 is successful by
"shorewall show connections" and look for the relevant connection --
the
connection should be in the ESTABLISHED state.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBaHbqO/MAbZfjDLIRAijGAJ9NM1fVweC4RypFPMI37tWUnWyW3gCfaQiu
zSpJwVl8tSu2NH30Yx+AUS4=x+I3
-----END PGP SIGNATURE-----

Brian wrote:
> Okay, no one had any idea concerning my Radmin question, which I still
> haven''t figured out.  However, I am now trying to figure out an
FXP problem.
> All of the needed details are listed below the description problem.
I replied to your question according your Radmin question, since you
didn''t reply to that thread anymore it is logic to think
you''re problem
is solved.

-- 
Groeten,
Peter


Backup not found: (A)bort (R)etry (P)anic

-
- Heb je een Dreambox 7000S ?
- Kijk eens op http://www.dreamvcr.com
- Kijk ook op http://www.lindeman.org
- ICQ 22383596
- Uptime lindeman.org - 21 days, 14 hours and 23 minutes, 0 users logged in.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
> Brian wrote:
>
>>>Thanks Tom and sorry to disturb your vacation.
>>>
>>>The httport always connects to htthost via port 90, but then it
sends a
>>>signal to connect to port 4899.
>>>
>
>
> Then I don''t understand how the Shorewall box could possibly be
the
> source of the problem -- all it is seeing is a connection from httport
> on tcp port 90 which it forwards to htthost.
>
> You can confirm that the connection to port 90 is successful by
> "shorewall show connections" and look for the relevant connection
-- the
> connection should be in the ESTABLISHED state.
>
Brian,

Any success in debugging this?

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBbGJvO/MAbZfjDLIRAigOAKDGh/IFWp1j7iXOzsBsRICR/9nVRgCguT0m
46wd6lOna1XJe9hoT37G4F0=cxy8
-----END PGP SIGNATURE-----

Tom Eastep wrote:
>
> Brian,
>
> Any success in debugging this?
>
> - -Tom
> - --


Thanks for following up Tom.  I have tried reinstalling Radmin to see if
something went rogue and I have contacted Radmin support.  However, no one
seems to know why everything else through the tunnel works.  I had a friend
check from a "normal" internet setup and he was able to connect.  So,
I
think that Radmin has decided something about the tunnel bothers it.  It is
confusing because before shorewall, there weren''t any problems... My
next
step is to look more into the tunnel... Maybe the tunnel had a cave-in.

Again thanks for you kindness and I will keep searching for an answer...
Brian

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian wrote:
>
> Thanks for following up Tom.  I have tried reinstalling Radmin to see if
> something went rogue and I have contacted Radmin support.  However, no one
> seems to know why everything else through the tunnel works.  I had a
friend
> check from a "normal" internet setup and he was able to connect. 
So, I
> think that Radmin has decided something about the tunnel bothers it.
It is
> confusing because before shorewall, there weren''t any problems...
My next
> step is to look more into the tunnel... Maybe the tunnel had a cave-in.
>
Are you perhaps setting CLAMPMSS=Yes in your shorewall.conf? If so, you
might try setting CLAMPMSS=No and see if that changes anything.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBbXXyO/MAbZfjDLIRAmiPAKCDF5GsfQaJPWKfZAcetrRmoR0XqQCgwk7M
Ilk051C9p1v8vE7NT47Zwg0=K6hh
-----END PGP SIGNATURE-----