Shorewall users - Jan 2006 - Conntracker error, PORT command and cr/lf missing in packet.

Hi,

I''m new to the list and have researched my problem for a couple of
months
now with no success.

Hoping someone can help me.

I have a vendor who ftp''s to me, and his system does not include a
cr/lf in
the PORT command.

I identified the problem using ethereal and sniffer pro.

The connection tracker doesnt seem to like this too much, and puts out this
error.

The ftp fails also.

conntrack_ftp: partial PORT 359824284+26

adding the cr/lf to the packet containing the port command takes care of the
problem.

The vendor claims they cant fix their software, at least not now.

Many other ftp vendors that I use, all have no problem at all, again, the
only difference that I can see,

is the port command missing the cr/lf on the non-working vendor.

Is there any fix available from Shorewall or iptables / conntracker side of
things that I can try?

My system is a fresh install of Debian, and current 3.x Shorewall.

My system is a simple 2 node setup , bridging the nics, and a pretty large
but simple rules file. It works

perfectly except for this ftp issue.

Also, I have 2 separate installations of shorewall on 2 systems, running
identical rules files, hooked up in series. This allows me to restart 1,
without exposing myself to the external networks, AND without bumping the
link offline. ( routestopped = passthrou)

The only issue here, is I must make changes in both systems..not a big deal.

Regards

Jim Sanders

James Sanders wrote:
> Hi,
> 
> I''m new to the list and have researched my problem for a couple of
months
> now with no success.
> 
> Hoping someone can help me.
> 
> I have a vendor who ftp''s to me, and his system does not include a
cr/lf in
> the PORT command.
> 

pureftpd have an option called

BrokenClientsCompatibility try setting it to yes, and see if that solves
the problem.

On Friday 27 January 2006 09:55, James Sanders wrote:
> Hi,
>
> I''m new to the list and have researched my problem for a couple of
months
> now with no success.
>
> Hoping someone can help me.
>
> I have a vendor who ftp''s to me, and his system does not include a
cr/lf in
> the PORT command.
>
> I identified the problem using ethereal and sniffer pro.
>
> The connection tracker doesnt seem to like this too much, and puts out this
> error.
>
> The ftp fails also.
>
> conntrack_ftp: partial PORT 359824284+26
>
> adding the cr/lf to the packet containing the port command takes care of
> the problem.
>
> The vendor claims they cant fix their software, at least not now.
>
> Many other ftp vendors that I use, all have no problem at all, again, the
> only difference that I can see,
>
> is the port command missing the cr/lf on the non-working vendor.
>
> Is there any fix available from Shorewall or iptables / conntracker side of
> things that I can try?
See http://www.shorewall.net/FTP.html -- there''s a workaround at the
bottom of
the page that I use for these broken clients.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> See http://www.shorewall.net/FTP.html -- there''s a workaround at
the bottom of
> the page that I use for these broken clients.
> 
> -Tom
Oops. I forgot the existency of that workaround. :)