From: Anders Fugmann <afu@fugmann.dhs.org>
To: Rob <rwideman@austin.rr.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: ftp server issue, trying to DL 1.2.7a
Date: Fri, 06 Sep 2002 11:39:31 +0200 [thread overview]
Message-ID: <3D7877D3.6040608@fugmann.dhs.org> (raw)
In-Reply-To: NEENJAPFEAIEMGMNIGFLMEKLCCAA.rwideman@austin.rr.com
Rob wrote:
> ftp> dir
> 227 Entering Passive Mode (62,128,28,62,182,53).
>
As alot of others replies the problem is when ftp enters passive mode,
the server initiates a dataconnection to your machine.
Fortunatly, is a "port" command is send first over the command channel,
in order to let the client and server know how and where this new
connection will be established.
This can be caught by the netfilter code, and netfilter can allow this
connection to be accepted from the server in a quite clever way, because
netfilter is _statefull_. ipchans was not, and hence this was not possible.
The following gives an example of how netfilter can handle this:
Lets assume that you are sittin behind a iptables firewall doing nat,
and all you want is to allow users from the inside (eth0) to conenct to
the internet through the external link (ppp0)
# First load the heper modules for the ftp protocol connection tracking.
# Delete these lines, if the modules are compiled statically into the
# kernel.
modprobe ip_conntrack_ftp
# And the nat part for the ftp protocol.
modprobe ip_nat_ftp
# Set default policies.
iptables -P INPUT drop
iptables -P FORWARD drop
iptables -P OUTPUT accept
# NAT all connections
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUEADE
# Allow the mashine to make any kind of connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Allow the same for machines located behind the firewall.
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
iptables -A FORWARD -o eth0 -i ppp0 -m state \
--state ESTABLISHED,RELATED -j ACCEPT
And we are all done. The trick is to use the 'state' match. The RELATED
state will match the first packet in the data-connection from the
ftp-server in passive mode. Any packets hereafter will be in the
ESTABLISHED state.
As you might have noticed, there is no protocol speicifer. So this also
works for e.g. DNS lookups (udp) and ICMP packets related to an already
esablished connection. Statefull firewalling is just sooo great.
There is no reason for you to patch the kernel in order to do this,
this has been possible for a long time.
Regards
Anders Fugmann
--
Author of FIAIF
FIAIF Is An Intelligent Firewall
http://fiaif.fugmann.dhs.org
next prev parent reply other threads:[~2002-09-06 9:39 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-09-05 17:29 ftp server issue, trying to DL 1.2.7a Rob
2002-09-05 18:30 ` Rob
2002-09-06 1:50 ` Fabrice MARIE
2002-09-05 18:32 ` Antony Stone
2002-09-05 22:00 ` wickedsun
2002-09-05 18:33 ` Ramin Alidousti
2002-09-05 19:57 ` Alistair Tonner
2002-09-06 9:39 ` Anders Fugmann [this message]
2002-09-07 12:38 ` wickedsun
2002-09-07 13:18 ` Anders Fugmann
2002-09-07 15:33 ` wickedsun
2002-09-07 15:40 ` Alistair Tonner
[not found] <002901c2551c$f5dd4700$3200a8c0@fcol.com>
2002-09-05 21:34 ` Rob
2002-09-05 22:37 ` R. Sterenborg
2002-09-06 3:49 ` Rob
2002-09-06 6:05 ` R. Sterenborg
-- strict thread matches above, loose matches on Subject: below --
2002-09-10 3:51 Rob
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3D7877D3.6040608@fugmann.dhs.org \
--to=afu@fugmann.dhs.org \
--cc=netfilter@lists.netfilter.org \
--cc=rwideman@austin.rr.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.