Hi there, I''m running a FTP server in DMZ zone and I can transfer files in active/passive mode from local zone, but not from net. If I try it from net only works passive FTP mode, in active mode I get a ''connection time out'' error after the PORT ftp command. I''m running shorewall 4.0.6, and nf_conntrack_ftp and nf_nat_ftp are loaded (kernel 2.6.24). Could someone tell me how to set correctly the rules file to enable active FTP? Now I have these rules: ACCEPT loc dmz:$FTP_SERVER tcp ftp DNAT net dmz:$FTP_SERVER tcp ftp - $FW_EXTERNAL FTP/ACCEPT dmz net Thanks! -- Aquest missatge ha estat analitzat per MailScanner a la cerca de virus i d''altres continguts perillosos, i es considera que està net. ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Gabriel Gonzalez Cano wrote:> Hi there, > I''m running a FTP server in DMZ zone and I can transfer files in > active/passive mode from local zone, but not from net. If I try it from > net only works passive FTP mode, in active mode I get a ''connection time > out'' error after the PORT ftp command. > > I''m running shorewall 4.0.6, and nf_conntrack_ftp and nf_nat_ftp are > loaded (kernel 2.6.24). > > Could someone tell me how to set correctly the rules file to enable > active FTP? Now I have these rules: > > ACCEPT loc dmz:$FTP_SERVER tcp ftp > DNAT net dmz:$FTP_SERVER tcp ftp > - $FW_EXTERNAL > FTP/ACCEPT dmz nethttp://www.shorewall.net/FTP.html -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Yes, I read that howto before posting here, but I can''t see what I''m doing wrong with the rules configuration, any help is welcome. Thanks On Wed, 2010-04-14 at 11:40 -0700, Tom Eastep wrote:> Gabriel Gonzalez Cano wrote: > > Hi there, > > I''m running a FTP server in DMZ zone and I can transfer files in > > active/passive mode from local zone, but not from net. If I try it from > > net only works passive FTP mode, in active mode I get a ''connection time > > out'' error after the PORT ftp command. > > > > I''m running shorewall 4.0.6, and nf_conntrack_ftp and nf_nat_ftp are > > loaded (kernel 2.6.24). > > > > Could someone tell me how to set correctly the rules file to enable > > active FTP? Now I have these rules: > > > > ACCEPT loc dmz:$FTP_SERVER tcp ftp > > DNAT net dmz:$FTP_SERVER tcp ftp > > - $FW_EXTERNAL > > FTP/ACCEPT dmz net > > http://www.shorewall.net/FTP.html > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Aquest missatge ha estat analitzat per MailScanner a la cerca de virus i d''altres continguts perillosos, i es considera que està net. ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Gabriel Gonzalez Cano wrote:> Yes, I read that howto before posting here, but I can''t see what I''m > doing wrong with the rules configuration, any help is welcome.The article describes using the debugging features of ftp to see what is going wrong; have you done that? If so, what were the results? If not, why not? The article describes kernel log messages reporting that a partial PORT or PASV reply has been received; have you looked for those? Note that there is also a suggested additional rule in the event that you are seeing those messages. Have you found any such messages? If so, did you try applying the fix? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Yes, I added the rule to log and accept all source port 20 traffic but I can''t see any log message about ftp-data in log and I don''t have any similar message to "kernel: conntrack_ftp: partial PORT...." in kernel logs. If I capture with tcpdump at ftp server and firewall interfaces, I see incorrect checksum entries when a net ftp client try to do a data transfer in active mode. Finally I''ve found that if I unload nf_nat_ftp and nf_conntrack_ftp modules, active ftp mode works fine (but not passive). Gabriel. On Thu, 2010-04-15 at 06:46 -0700, Tom Eastep wrote:> Gabriel Gonzalez Cano wrote: > > Yes, I read that howto before posting here, but I can''t see what I''m > > doing wrong with the rules configuration, any help is welcome. > > The article describes using the debugging features of ftp to see what is > going wrong; have you done that? If so, what were the results? If not, > why not? > > The article describes kernel log messages reporting that a partial PORT > or PASV reply has been received; have you looked for those? Note that > there is also a suggested additional rule in the event that you are > seeing those messages. Have you found any such messages? If so, did you > try applying the fix? > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Aquest missatge ha estat analitzat per MailScanner a la cerca de virus i d''altres continguts perillosos, i es considera que està net. ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Gabriel Gonzalez Cano wrote:> If I capture with tcpdump at ftp server and firewall interfaces, I see > incorrect checksum entries when a net ftp client try to do a data > transfer in active mode.That''s not anything that Shorewall is involved in.> > Finally I''ve found that if I unload nf_nat_ftp and nf_conntrack_ftp > modules, active ftp mode works fine (but not passive). >Which is as expected. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Tom Eastep wrote:> Gabriel Gonzalez Cano wrote: > >> If I capture with tcpdump at ftp server and firewall interfaces, I see >> incorrect checksum entries when a net ftp client try to do a data >> transfer in active mode. > > That''s not anything that Shorewall is involved in.Does the ftp server run in a Xen DomU? I;ve seen incorrect checksum issues in that environment. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Thanks for the feedback, No, ftp server run in a real Ubuntu host. Gabriel. On Mon, 2010-04-19 at 20:11 -0700, Tom Eastep wrote:> Tom Eastep wrote: > > Gabriel Gonzalez Cano wrote: > > > >> If I capture with tcpdump at ftp server and firewall interfaces, I see > >> incorrect checksum entries when a net ftp client try to do a data > >> transfer in active mode. > > > > That''s not anything that Shorewall is involved in. > > Does the ftp server run in a Xen DomU? I;ve seen incorrect checksum > issues in that environment. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Aquest missatge ha estat analitzat per MailScanner a la cerca de virus i d''altres continguts perillosos, i es considera que està net. ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Yes, but I thought these helper modules should been always loaded when you have DNAT ftp rules. Anyway, now it works :) Gabriel. On Mon, 2010-04-19 at 06:45 -0700, Tom Eastep wrote:> Gabriel Gonzalez Cano wrote: > > > If I capture with tcpdump at ftp server and firewall interfaces, I see > > incorrect checksum entries when a net ftp client try to do a data > > transfer in active mode. > > That''s not anything that Shorewall is involved in. > > > > > Finally I''ve found that if I unload nf_nat_ftp and nf_conntrack_ftp > > modules, active ftp mode works fine (but not passive). > > > > Which is as expected. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Aquest missatge ha estat analitzat per MailScanner a la cerca de virus i d''altres continguts perillosos, i es considera que està net. ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev