thr3ads.net - Shorewall users - Net > DMZ

If this information is useful, please help other people find it:
Share via:

Steve Lawrence

2005-Jun-02 22:02 UTC

Net > DMZ > AllowFTP

Lables:
Gateway = 209.5.171.65
Netmask = 255.255.255.192
Eth0 = net = 209.5.171.66
Eth1 = loc = 192.168.0.1
There is no NAT clients, in essence loc is dmz. I can rename loc to dmz
if that helps. Proxy/ARP is used for IP addresses 209.5.171.67-126


Problem:
Using the Shorewall Action AllowFTP does not result in desired behavior
when connecting from Internet to machines behind firewall in DMZ. From
my understanding, ip_conntrac should see a person come in on port 21,
and automatically open either port 20 in regular ftp mode, or open
highports in pasv mode. This does not happen, and using either regular
or pasv transfers fail. I had to manually open the ftp-data and the high
ports to allow my clients to ftp in.

Shorewall version
2.2.4

ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:a0:d2:1c:aa:13 brd ff:ff:ff:ff:ff:ff
    inet 209.5.171.66/26 brd 209.5.171.127 scope global eth0
    inet6 fe80::2a0:d2ff:fe1c:aa13/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:a0:d2:1c:a9:7f brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
    inet6 fe80::2a0:d2ff:fe1c:a97f/64 scope link
       valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

ip route show

209.5.171.67 dev eth1  scope link
209.5.171.68 dev eth1  scope link
209.5.171.69 dev eth1  scope link
209.5.171.70 dev eth1  scope link
209.5.171.71 dev eth1  scope link
209.5.171.72 dev eth1  scope link
209.5.171.73 dev eth1  scope link
209.5.171.74 dev eth1  scope link
209.5.171.75 dev eth1  scope link
209.5.171.76 dev eth1  scope link
209.5.171.77 dev eth1  scope link
209.5.171.78 dev eth1  scope link
209.5.171.79 dev eth1  scope link
209.5.171.80 dev eth1  scope link
209.5.171.81 dev eth1  scope link
209.5.171.82 dev eth1  scope link
209.5.171.83 dev eth1  scope link
209.5.171.84 dev eth1  scope link
209.5.171.85 dev eth1  scope link
209.5.171.86 dev eth1  scope link
209.5.171.87 dev eth1  scope link
209.5.171.88 dev eth1  scope link
209.5.171.89 dev eth1  scope link
209.5.171.90 dev eth1  scope link
209.5.171.91 dev eth1  scope link
209.5.171.92 dev eth1  scope link
209.5.171.93 dev eth1  scope link
209.5.171.94 dev eth1  scope link
209.5.171.95 dev eth1  scope link
209.5.171.97 dev eth1  scope link
209.5.171.96 dev eth1  scope link
209.5.171.99 dev eth1  scope link
209.5.171.98 dev eth1  scope link
209.5.171.101 dev eth1  scope link
209.5.171.100 dev eth1  scope link
209.5.171.103 dev eth1  scope link
209.5.171.102 dev eth1  scope link
209.5.171.105 dev eth1  scope link
209.5.171.104 dev eth1  scope link
209.5.171.107 dev eth1  scope link
209.5.171.106 dev eth1  scope link
209.5.171.109 dev eth1  scope link
209.5.171.108 dev eth1  scope link
209.5.171.111 dev eth1  scope link
209.5.171.110 dev eth1  scope link
209.5.171.113 dev eth1  scope link
209.5.171.112 dev eth1  scope link
209.5.171.115 dev eth1  scope link
209.5.171.114 dev eth1  scope link
209.5.171.117 dev eth1  scope link
209.5.171.116 dev eth1  scope link
209.5.171.119 dev eth1  scope link
209.5.171.118 dev eth1  scope link
209.5.171.121 dev eth1  scope link
209.5.171.120 dev eth1  scope link
209.5.171.123 dev eth1  scope link
209.5.171.122 dev eth1  scope link
209.5.171.125 dev eth1  scope link
209.5.171.124 dev eth1  scope link
209.5.171.126 dev eth1  scope link
209.5.171.64/26 dev eth0  proto kernel  scope link  src 209.5.171.66
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1
169.254.0.0/16 dev eth1  scope link
default via 209.5.171.65 dev eth0


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.322 / Virus Database: 267.4.1 - Release Date: 6/2/2005

Jerry Vonau

2005-Jun-03 00:15 UTC

head link

Re: Net > DMZ > AllowFTP

> Lables:
> Gateway = 209.5.171.65
> Netmask = 255.255.255.192
> Eth0 = net = 209.5.171.66
> Eth1 = loc = 192.168.0.1
> There is no NAT clients, in essence loc is dmz. I can rename loc to
dmz> if that helps. Proxy/ARP is used for IP addresses 209.5.171.67-126
>
>
> Problem:
> Using the Shorewall Action AllowFTP does not result in desired
behavior> when connecting from Internet to machines behind firewall in DMZ.
From> my understanding, ip_conntrac should see a person come in on port
21,> and automatically open either port 20 in regular ftp mode, or open
> highports in pasv mode. This does not happen, and using either
regular> or pasv transfers fail. I had to manually open the ftp-data and the
high> ports to allow my clients to ftp in.
>
> Shorewall version
> 2.2.4
>
> ip addr show
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
1000>     link/ether 00:a0:d2:1c:aa:13 brd ff:ff:ff:ff:ff:ff
>     inet 209.5.171.66/26 brd 209.5.171.127 scope global eth0
>     inet6 fe80::2a0:d2ff:fe1c:aa13/64 scope link
>        valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
1000>     link/ether 00:a0:d2:1c:a9:7f brd ff:ff:ff:ff:ff:ff
>     inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
>     inet6 fe80::2a0:d2ff:fe1c:a97f/64 scope link
>        valid_lft forever preferred_lft forever
> 4: sit0: <NOARP> mtu 1480 qdisc noop
>     link/sit 0.0.0.0 brd 0.0.0.0
>
> ip route show
>
> 209.5.171.67 dev eth1  scope link
> 209.5.171.68 dev eth1  scope link
> 209.5.171.69 dev eth1  scope link
> 209.5.171.70 dev eth1  scope link
> 209.5.171.71 dev eth1  scope link
> 209.5.171.72 dev eth1  scope link
> 209.5.171.73 dev eth1  scope link
> 209.5.171.74 dev eth1  scope link
> 209.5.171.75 dev eth1  scope link
> 209.5.171.76 dev eth1  scope link
> 209.5.171.77 dev eth1  scope link
> 209.5.171.78 dev eth1  scope link
> 209.5.171.79 dev eth1  scope link
> 209.5.171.80 dev eth1  scope link
> 209.5.171.81 dev eth1  scope link
> 209.5.171.82 dev eth1  scope link
> 209.5.171.83 dev eth1  scope link
> 209.5.171.84 dev eth1  scope link
> 209.5.171.85 dev eth1  scope link
> 209.5.171.86 dev eth1  scope link
> 209.5.171.87 dev eth1  scope link
> 209.5.171.88 dev eth1  scope link
> 209.5.171.89 dev eth1  scope link
> 209.5.171.90 dev eth1  scope link
> 209.5.171.91 dev eth1  scope link
> 209.5.171.92 dev eth1  scope link
> 209.5.171.93 dev eth1  scope link
> 209.5.171.94 dev eth1  scope link
> 209.5.171.95 dev eth1  scope link
> 209.5.171.97 dev eth1  scope link
> 209.5.171.96 dev eth1  scope link
> 209.5.171.99 dev eth1  scope link
> 209.5.171.98 dev eth1  scope link
> 209.5.171.101 dev eth1  scope link
> 209.5.171.100 dev eth1  scope link
> 209.5.171.103 dev eth1  scope link
> 209.5.171.102 dev eth1  scope link
> 209.5.171.105 dev eth1  scope link
> 209.5.171.104 dev eth1  scope link
> 209.5.171.107 dev eth1  scope link
> 209.5.171.106 dev eth1  scope link
> 209.5.171.109 dev eth1  scope link
> 209.5.171.108 dev eth1  scope link
> 209.5.171.111 dev eth1  scope link
> 209.5.171.110 dev eth1  scope link
> 209.5.171.113 dev eth1  scope link
> 209.5.171.112 dev eth1  scope link
> 209.5.171.115 dev eth1  scope link
> 209.5.171.114 dev eth1  scope link
> 209.5.171.117 dev eth1  scope link
> 209.5.171.116 dev eth1  scope link
> 209.5.171.119 dev eth1  scope link
> 209.5.171.118 dev eth1  scope link
> 209.5.171.121 dev eth1  scope link
> 209.5.171.120 dev eth1  scope link
> 209.5.171.123 dev eth1  scope link
> 209.5.171.122 dev eth1  scope link
> 209.5.171.125 dev eth1  scope link
> 209.5.171.124 dev eth1  scope link
> 209.5.171.126 dev eth1  scope link
> 209.5.171.64/26 dev eth0  proto kernel  scope link  src 209.5.171.66
> 192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1
> 169.254.0.0/16 dev eth1  scope link
> default via 209.5.171.65 dev eth0
>
>Steve:
On only a hunch, I''d try to rmmod "ip_nat_ftp". What I
*think* is
happening
is the inbound ftp connection is being seen, but the ip_nat_ftp module
kicks in
because of the use of a private ip address on the dmz host. If that
fixes it, # out
ip_nat_ftp in the modules file in the shorewall directory. Hope it
works...

Jerry Vonau

Jerry Vonau

2005-Jun-03 00:38 UTC

head link

Re: Net > DMZ > AllowFTP

>
> > Lables:
> > Gateway = 209.5.171.65
> > Netmask = 255.255.255.192
> > Eth0 = net = 209.5.171.66
> > Eth1 = loc = 192.168.0.1
> > There is no NAT clients, in essence loc is dmz. I can rename loc
to> dmz
> > if that helps. Proxy/ARP is used for IP addresses 209.5.171.67-126
> >
> >
> > Problem:
> > Using the Shorewall Action AllowFTP does not result in desired
> behavior
> > when connecting from Internet to machines behind firewall in DMZ.
> From
> > my understanding, ip_conntrac should see a person come in on port
> 21,
> > and automatically open either port 20 in regular ftp mode, or open
> > highports in pasv mode. This does not happen, and using either
> regular
> > or pasv transfers fail. I had to manually open the ftp-data and
the> high
> > ports to allow my clients to ftp in.
> >
> > Shorewall version
> > 2.2.4
> >
> > ip addr show
> > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> >     inet6 ::1/128 scope host
> >        valid_lft forever preferred_lft forever
> > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
> 1000
> >     link/ether 00:a0:d2:1c:aa:13 brd ff:ff:ff:ff:ff:ff
> >     inet 209.5.171.66/26 brd 209.5.171.127 scope global eth0
> >     inet6 fe80::2a0:d2ff:fe1c:aa13/64 scope link
> >        valid_lft forever preferred_lft forever
> > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
> 1000
> >     link/ether 00:a0:d2:1c:a9:7f brd ff:ff:ff:ff:ff:ff
> >     inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
> >     inet6 fe80::2a0:d2ff:fe1c:a97f/64 scope link
> >        valid_lft forever preferred_lft forever
> > 4: sit0: <NOARP> mtu 1480 qdisc noop
> >     link/sit 0.0.0.0 brd 0.0.0.0
> >
> > ip route show
> >
> > 209.5.171.67 dev eth1  scope link
> > 209.5.171.68 dev eth1  scope link
> > 209.5.171.69 dev eth1  scope link
> > 209.5.171.70 dev eth1  scope link
> > 209.5.171.71 dev eth1  scope link
> > 209.5.171.72 dev eth1  scope link
> > 209.5.171.73 dev eth1  scope link
> > 209.5.171.74 dev eth1  scope link
> > 209.5.171.75 dev eth1  scope link
> > 209.5.171.76 dev eth1  scope link
> > 209.5.171.77 dev eth1  scope link
> > 209.5.171.78 dev eth1  scope link
> > 209.5.171.79 dev eth1  scope link
> > 209.5.171.80 dev eth1  scope link
> > 209.5.171.81 dev eth1  scope link
> > 209.5.171.82 dev eth1  scope link
> > 209.5.171.83 dev eth1  scope link
> > 209.5.171.84 dev eth1  scope link
> > 209.5.171.85 dev eth1  scope link
> > 209.5.171.86 dev eth1  scope link
> > 209.5.171.87 dev eth1  scope link
> > 209.5.171.88 dev eth1  scope link
> > 209.5.171.89 dev eth1  scope link
> > 209.5.171.90 dev eth1  scope link
> > 209.5.171.91 dev eth1  scope link
> > 209.5.171.92 dev eth1  scope link
> > 209.5.171.93 dev eth1  scope link
> > 209.5.171.94 dev eth1  scope link
> > 209.5.171.95 dev eth1  scope link
> > 209.5.171.97 dev eth1  scope link
> > 209.5.171.96 dev eth1  scope link
> > 209.5.171.99 dev eth1  scope link
> > 209.5.171.98 dev eth1  scope link
> > 209.5.171.101 dev eth1  scope link
> > 209.5.171.100 dev eth1  scope link
> > 209.5.171.103 dev eth1  scope link
> > 209.5.171.102 dev eth1  scope link
> > 209.5.171.105 dev eth1  scope link
> > 209.5.171.104 dev eth1  scope link
> > 209.5.171.107 dev eth1  scope link
> > 209.5.171.106 dev eth1  scope link
> > 209.5.171.109 dev eth1  scope link
> > 209.5.171.108 dev eth1  scope link
> > 209.5.171.111 dev eth1  scope link
> > 209.5.171.110 dev eth1  scope link
> > 209.5.171.113 dev eth1  scope link
> > 209.5.171.112 dev eth1  scope link
> > 209.5.171.115 dev eth1  scope link
> > 209.5.171.114 dev eth1  scope link
> > 209.5.171.117 dev eth1  scope link
> > 209.5.171.116 dev eth1  scope link
> > 209.5.171.119 dev eth1  scope link
> > 209.5.171.118 dev eth1  scope link
> > 209.5.171.121 dev eth1  scope link
> > 209.5.171.120 dev eth1  scope link
> > 209.5.171.123 dev eth1  scope link
> > 209.5.171.122 dev eth1  scope link
> > 209.5.171.125 dev eth1  scope link
> > 209.5.171.124 dev eth1  scope link
> > 209.5.171.126 dev eth1  scope link
> > 209.5.171.64/26 dev eth0  proto kernel  scope link  src
209.5.171.66> > 192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1
> > 169.254.0.0/16 dev eth1  scope link
> > default via 209.5.171.65 dev eth0
> >
> >
> Steve:
> On only a hunch, I''d try to rmmod "ip_nat_ftp". What I
*think* is
> happening
> is the inbound ftp connection is being seen, but the ip_nat_ftp
module> kicks in
> because of the use of a private ip address on the dmz host. If that
> fixes it, # out
> ip_nat_ftp in the modules file in the shorewall directory. Hope it
> works...
>
> Jerry Vonau
>Hey wait a sec....

 2 15:51:43 net2fw:DROP:IN=eth0 OUT= SRC=68.145.39.134
DST=209.5.171.66 LEN=48 TOS=0x10 PREC=0x00 TTL=120 ID=63055 PROTO=TCP
SPT=1575 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0
Jun  2 15:51:46 net2fw:DROP:IN=eth0 OUT= SRC=68.145.39.134
DST=209.5.171.66 LEN=48 TOS=0x10 PREC=0x00 TTL=120 ID=63056 PROTO=TCP
SPT=1575 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0
Jun  2 15:51:52 net2fw:DROP:IN=eth0 OUT= SRC=68.145.39.134
DST=209.5.171.66 LEN=48 TOS=0x10 PREC=0x00 TTL=120 ID=63057 PROTO=TCP
SPT=1575 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0
Jun  2 15:52:02 fw2net:REJECT:IN= OUT=eth0 SRC=209.5.171.66
DST=68.145.39.46 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=56453 DF
PROTO=TCP SPT=50152 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0
Jun  2 15:52:13 fw2net:REJECT:IN= OUT=eth0 SRC=209.5.171.66
DST=68.145.39.46 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18858 DF
PROTO=TCP SPT=50153 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0
Jun  2 15:52:23 fw2net:REJECT:IN= OUT=eth0 SRC=209.5.171.66
DST=63.229.2.114 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=64225 DF
PROTO=TCP SPT=56005 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0
Jun  2 15:54:15 all2all:REJECT:IN= OUT=eth1 SRC=192.168.0.1
DST=209.5.171.68 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=16693 DF
PROTO=TCP SPT=57648 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0
Jun  2 15:56:44 fw2net:REJECT:IN= OUT=eth0 SRC=209.5.171.66
DST=68.145.39.46 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=26750 DF
PROTO=TCP SPT=40536 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0
Jun  2 15:58:49 all2all:REJECT:IN= OUT=eth1 SRC=192.168.0.1
DST=209.5.171.68 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=19098 DF
PROTO=TCP SPT=35830 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0


None of these rejects are from the net to the dmz, your testing from
the firewall,
how did you configure the policy/rules for connections to/from the
firewall itself?
Time to post you config files please.

Jerry

Steve Lawrence

2005-Jun-03 03:20 UTC

head link

RE: Net > DMZ > AllowFTP

Problem solved. Went to the data center my self to see what the hell was
going on, I was putting block rules in the firewall and they were not
blocking, turns out the guy who hooked up the machines had a cable from
the outside switched plugged into the inside switch. I removed the cable
and rebooted the windows machine and all is well.

Thanks for looking into this, guys. Next time I''ll have a look at the
physical aspect before I post here.

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.322 / Virus Database: 267.4.1 - Release Date: 6/2/2005

Seemingly Similar Threads

Search for more reasonably related threads

Shorewall users - Jun 2005 - Net > DMZ > AllowFTP

Net > DMZ > AllowFTP

Re: Net > DMZ > AllowFTP

Re: Net > DMZ > AllowFTP

RE: Net > DMZ > AllowFTP

Seemingly Similar Threads