ftp server issue, trying to DL 1.2.7a

ftp server issue, trying to DL 1.2.7a

[Rob]

Anyone else having this problem?


Connected to ftp.iptables.org (62.128.28.62).
220 ProFTPD 1.2.5rc1 Server (netfilter/iptables FTP site) [kashyyyk]
Name (ftp.iptables.org:root): anonymous
331 Anonymous login ok, send your complete email address as your password.
Password:
230 Anonymous access granted, restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
227 Entering Passive Mode (62,128,28,62,182,53).

thanks
Rob

RE: ftp server issue, trying to DL 1.2.7a

[Rob]

I got passed it....DLed on win2k and burned to cdr.
After extracting patch-o-matic/2.4.19/1.2.7a...i am running the
patch-o-matic script and:

# ./runme pending KERNEL_DIR=/usr/src/linux
ERROR: Invalid option KERNEL_DIR=/usr/src/linux

The kernel is extracted to /usr/src/linux, i changed the name from
linux-2.4.19 to linux for ease of remembering.  I am SSH'ing into my box and
i copied the line directly from the README to the commandline via Putty so i
know i am not making a typing mistake, also i am using tab to get the
directory of the kenel on the line so that isnt a mistake of a path either.
Any thoughts?


Rob

Re: ftp server issue, trying to DL 1.2.7a

[Antony Stone]

On Thursday 05 September 2002 6:29 pm, Rob wrote:

> Anyone else having this problem?
>
>
> Connected to ftp.iptables.org (62.128.28.62).
> 220 ProFTPD 1.2.5rc1 Server (netfilter/iptables FTP site) [kashyyyk]
> Name (ftp.iptables.org:root): anonymous
> 331 Anonymous login ok, send your complete email address as your password.
> Password:
> 230 Anonymous access granted, restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> dir
> 227 Entering Passive Mode (62,128,28,62,182,53).

Works fine for me in active mode:

drwxr-xr-x   2 ftpuser ftpgroup   4096 Jul 22 14:45 incoming
drwxr-xr-x   7 ftpuser ftpgroup   4096 Jul 24 07:36 pub

But like you, I can't get a listing in passive mode.....

Antony.

-- 

This email was created using 100% recycled electrons.

Re: ftp server issue, trying to DL 1.2.7a

[Ramin Alidousti]

On Thu, Sep 05, 2002 at 12:29:18PM -0500, Rob wrote:

> Anyone else having this problem?

Yes. I seem to have the same problem. Passive mode hangs and active mode
says "Connection refused".

Definitely a firewalling problem. Did they forget to load the ftp conntrack
module?

Ramin

> 
> 
> Connected to ftp.iptables.org (62.128.28.62).
> 220 ProFTPD 1.2.5rc1 Server (netfilter/iptables FTP site) [kashyyyk]
> Name (ftp.iptables.org:root): anonymous
> 331 Anonymous login ok, send your complete email address as your password.
> Password:
> 230 Anonymous access granted, restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> dir
> 227 Entering Passive Mode (62,128,28,62,182,53).
> 
> thanks
> Rob
> 

Re: ftp server issue, trying to DL 1.2.7a

[Alistair Tonner]

No go on passive from here either,
	set passive off,
	transfer is fine...


On 2002.09.05 13:29 Rob wrote:
> Anyone else having this problem?
> 
> 
> Connected to ftp.iptables.org (62.128.28.62).
> 220 ProFTPD 1.2.5rc1 Server (netfilter/iptables FTP site) [kashyyyk]
> Name (ftp.iptables.org:root): anonymous
> 331 Anonymous login ok, send your complete email address as your
> password.
> Password:
> 230 Anonymous access granted, restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> dir
> 227 Entering Passive Mode (62,128,28,62,182,53).
> 
> thanks
> Rob
> 
> 
> 

RE: ftp server issue, trying to DL 1.2.7a

[Rob]

>>	export KERNEL_DIR=/usr/src/linux
>>
>>	and then ./runme pending

OK, great...applied what i wanted.

Now when i go to the /usr/src/iptables-1.2.7a and run make i get a crap load
of errors....
this is what i got from the putty screen:

----------//putty got cut here//-----------
                 from include/iptables.h:5,
                 from extensions/libipt_TOS.c:7:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_TCPMSS.c:10:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_SNAT.c:7:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_SAME.c:7:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_REJECT.c:9:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_REDIRECT.c:7:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_MIRROR.c:7:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_MASQUERADE.c:7:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_MARK.c:7:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_LOG.c:8:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_ECN.c:16:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_DSCP.c:17:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_DNAT.c:7:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_unclean.c:5:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_udp.c:7:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_ttl.c:12:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_tos.c:8:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_tcpmss.c:8:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_tcp.c:7:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_state.c:7:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_standard.c:8:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_pkttype.c:17:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_owner.c:10:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_multiport.c:7:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_mark.c:8:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_mac.c:12:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_limit.c:11:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_length.c:8:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_icmp.c:7:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_helper.c:8:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_esp.c:8:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_ecn.c:15:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_dscp.c:20:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_conntrack.c:11:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_ah.c:8:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
Extensions found:
cc -O2 -Wall -Wunused -I/usr/src/linux/include -Iinclude/ -DIPTABLES_VERSION
=\"1.2.7a\"  -fPIC -o extensions/libipt_ah_sh.o -c extensions/libipt_ah.c
In file included from /usr/src/linux/include/linux/config.h:4,
                 from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:25,
                 from include/libiptc/libiptc.h:6,
                 from include/iptables.h:5,
                 from extensions/libipt_ah.c:8:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in
userspace
make: *** [extensions/libipt_ah_sh.o] Error 1
[root@something iptables-1.2.7a]#


Any thoughts?

Rob

Re: ftp server issue, trying to DL 1.2.7a

[wickedsun]

[-- Attachment #1: Type: Text/Plain, Size: 1556 bytes --]

I've had this issue back in the ipchains days. :)
Its quite simple. If you make iptables change your destination IP for a
certain port (like the module for FTP used to do in 2.2) well passive does
not work because it changes your IP address on the fly. If you have made a
port work for active, passive will not work on that same port.

I dont think there is any workaround (yet). It is a pain, because if you
want to FTP and FXP from a port X, you'll have to stay in passive mode.

 
-------Original Message-------
 
From: Antony Stone
Date: Thursday, September 05, 2002 14:56:10
To: netfilter@lists.netfilter.org
Subject: Re: ftp server issue, trying to DL 1.2.7a
 
On Thursday 05 September 2002 6:29 pm, Rob wrote:

> Anyone else having this problem?
>
>
> Connected to ftp.iptables.org (62.128.28.62).
> 220 ProFTPD 1.2.5rc1 Server (netfilter/iptables FTP site) [kashyyyk]
> Name (ftp.iptables.org:root): anonymous
> 331 Anonymous login ok, send your complete email address as your password.
> Password:
> 230 Anonymous access granted, restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> dir
> 227 Entering Passive Mode (62,128,28,62,182,53).

Works fine for me in active mode:

drwxr-xr-x 2 ftpuser ftpgroup 4096 Jul 22 14:45 incoming
drwxr-xr-x 7 ftpuser ftpgroup 4096 Jul 24 07:36 pub

But like you, I can't get a listing in passive mode.....

Antony.

-- 

This email was created using 100% recycled electrons.


. 

[-- Attachment #2: Type: Text/HTML, Size: 3102 bytes --]

<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="IncrediMail 1.0" name=GENERATOR>
<!--IncrdiXMLRemarkStart>
<IncrdiX-Info>
<X-FID>FLAVOR00-NONE-0000-0000-000000000000</X-FID>
<X-FVER></X-FVER>
<X-CNT>;</X-CNT>
</IncrdiX-Info>
<IncrdiXMLRemarkEnd-->
</HEAD>
<BODY style="BACKGROUND-POSITION: 0px 0px; FONT-SIZE: 12pt; MARGIN: 5px 10px 10px; FONT-FAMILY: Arial" bgColor=#ffffff background="" scroll=yes ORGYPOS="0" X-FVER="3.0">
<TABLE id=INCREDIMAINTABLE cellSpacing=0 cellPadding=2 width="100%" border=0>
<TBODY>
<TR>
<TD id=INCREDITEXTREGION style="FONT-SIZE: 12pt; CURSOR: auto; FONT-FAMILY: Arial" width="100%">
<DIV>I've had this issue back in the ipchains days. :)</DIV>
<DIV>Its quite simple. If you make iptables change your destination IP for a certain port (like the module for FTP used to do in 2.2) well passive does not work because it changes your IP address on the fly. If you have made a port work for active, passive will not work on that same port.</DIV>
<DIV>&nbsp;</DIV>
<DIV>I dont think there is any workaround (yet). It is a pain, because if you want to FTP and FXP from a port X, you'll have to stay in passive mode.</DIV>
<DIV><BR>&nbsp;</DIV>
<DIV id=IncrediOriginalMessage><I>-------Original Message-------</I></DIV>
<DIV>&nbsp;</DIV>
<DIV id=receivestrings>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>From:</B></I> <A href="mailto:Antony@Soft-Solutions.co.uk">Antony Stone</A></DIV>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>Date:</B></I> Thursday, September 05, 2002 14:56:10</DIV>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>To:</B></I> <A href="mailto:netfilter@lists.netfilter.org">netfilter@lists.netfilter.org</A></DIV>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>Subject:</B></I> Re: ftp server issue, trying to DL 1.2.7a</DIV></DIV>
<DIV>&nbsp;</DIV>On Thursday 05 September 2002 6:29 pm, Rob wrote:<BR><BR>&gt; Anyone else having this problem?<BR>&gt;<BR>&gt;<BR>&gt; Connected to ftp.iptables.org (62.128.28.62).<BR>&gt; 220 ProFTPD 1.2.5rc1 Server (netfilter/iptables FTP site) [kashyyyk]<BR>&gt; Name (ftp.iptables.org:root): anonymous<BR>&gt; 331 Anonymous login ok, send your complete email address as your password.<BR>&gt; Password:<BR>&gt; 230 Anonymous access granted, restrictions apply.<BR>&gt; Remote system type is UNIX.<BR>&gt; Using binary mode to transfer files.<BR>&gt; ftp&gt; dir<BR>&gt; 227 Entering Passive Mode (62,128,28,62,182,53).<BR><BR>Works fine for me in active mode:<BR><BR>drwxr-xr-x 2 ftpuser ftpgroup 4096 Jul 22 14:45 incoming<BR>drwxr-xr-x 7 ftpuser ftpgroup 4096 Jul 24 07:36 pub<BR><BR>But like you, I can't get a listing in passive mode.....<BR><BR>Antony.<BR><BR>-- <BR><BR>This email was created using 100% recycled electrons.<BR><BR><BR>. </TD></TR>
<TR>
<TD id=INCREDIFOOTER width="100%">
<TABLE cellSpacing=0 cellPadding=0 width="100%">
<TBODY>
<TR>
<TD width="100%"></TD>
<TD id=INCREDISOUND vAlign=bottom align=middle></TD>
<TD id=INCREDIANIM vAlign=bottom align=middle></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></BODY></HTML>

RE: ftp server issue, trying to DL 1.2.7a

[R. Sterenborg]

> Now when i go to the /usr/src/iptables-1.2.7a and run make i 
> get a crap load
> of errors....
> this is what i got from the putty screen:
> 
Ok, I had the same problem.
Do a make menuconfig or make xconfig or whatever.
Configure nothing, just exit with saving the .config
Now go ahead and do ./runme pending etc.
It should work now.


Rob

Re: ftp server issue, trying to DL 1.2.7a

[Fabrice MARIE]

On Friday 06 September 2002 02:30, Rob wrote:
> I got passed it....DLed on win2k and burned to cdr.
> After extracting patch-o-matic/2.4.19/1.2.7a...i am running the
> patch-o-matic script and:
> # ./runme pending KERNEL_DIR=/usr/src/linux
> ERROR: Invalid option KERNEL_DIR=/usr/src/linux
> [...]
> Any thoughts?

Sure,

try
# KERNEL_DIR=/usr/src/linux ./runme pending
or
# export KERNEL_DIR=/usr/src/linux; ./runme pending

Bash isn't quite like make and in your command example it will try
to feed KERNEL_DIR=/usr/src/linux to ./runme and not take it as an
env variable like it should (-:

Have a nice day,

Fabrice.
--
Fabrice MARIE
Senior R&D Engineer
Celestix Networks
http://www.celestix.com/

"Silly hacker, root is for administrators"
       -Unknown

RE: ftp server issue, trying to DL 1.2.7a

[Rob]

>>Do a make menuconfig or make xconfig or whatever.
>>Configure nothing, just exit with saving the .config
>>Now go ahead and do ./runme pending etc.
>>It should work now.

GREAT, Thanks
new problem...i compiled the kernel and i get these errors:
**the first few lines are the actual compilation to show you where it is**
--------------
gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes -Wno-tri
graphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpre
ferred-stack-boundary=2 -march=i586   -nostdinc -I
/usr/lib/gcc-lib/i386-redhat-linux/2.96/include -DKBUILD_BASENAME=ip_nat_pro
to_tcp  -c -o ip_nat_proto_tcp.o ip_nat_proto_tcp.c
gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes -Wno-tri
graphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpre
ferred-stack-boundary=2 -march=i586   -nostdinc -I
/usr/lib/gcc-lib/i386-redhat-linux/2.96/include -DKBUILD_BASENAME=ip_nat_pro
to_udp  -c -o ip_nat_proto_udp.o ip_nat_proto_udp.c
gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes -Wno-tri
graphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpre
ferred-stack-boundary=2 -march=i586   -nostdinc -I
/usr/lib/gcc-lib/i386-redhat-linux/2.96/include -DKBUILD_BASENAME=ip_nat_pro
to_icmp  -c -o ip_nat_proto_icmp.o ip_nat_proto_icmp.c
ld -m elf_i386 -r -o iptable_nat.o ip_nat_standalone.o ip_nat_rule.o
ip_nat_helper.o ip_nat_core.o ip_nat_proto_unknown.o ip_nat_proto_tcp.o
ip_nat_proto_udp.o ip_nat_proto_icmp.o
gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes -Wno-tri
graphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpre
ferred-stack-boundary=2 -march=i586   -nostdinc -I
/usr/lib/gcc-lib/i386-redhat-linux/2.96/include -DKBUILD_BASENAME=ipt_helper
  -c -o ipt_helper.o ipt_helper.c
ipt_helper.c: In function `match':
ipt_helper.c:46: wrong type argument to unary exclamation mark
ipt_helper.c:51: incompatible types in assignment
ipt_helper.c:67: structure has no member named `name'
ipt_helper.c:68: structure has no member named `name'
make[3]: *** [ipt_helper.o] Error 1
make[3]: Leaving directory `/usr/src/linux/net/ipv4/netfilter'
make[2]: *** [first_rule] Error 2
make[2]: Leaving directory `/usr/src/linux/net/ipv4/netfilter'
make[1]: *** [_subdir_ipv4/netfilter] Error 2
make[1]: Leaving directory `/usr/src/linux/net'
make: *** [_dir_net] Error 2

RE: ftp server issue, trying to DL 1.2.7a

[R. Sterenborg]

> GREAT, Thanks
You're welcome :o)

> new problem...i compiled the kernel and i get these errors:
<snip>
> gcc -D__KERNEL__ -I/usr/src/linux/include -Wall
> -Wstrict-prototypes -Wno-tri
> graphs -O2 -fno-strict-aliasing -fno-common
> -fomit-frame-pointer -pipe -mpre
> ferred-stack-boundary=2 -march=i586   -nostdinc -I
> /usr/lib/gcc-lib/i386-redhat-linux/2.96/include
> -DKBUILD_BASENAME=ipt_helper
>   -c -o ipt_helper.o ipt_helper.c
> ipt_helper.c: In function `match':
> ipt_helper.c:46: wrong type argument to unary exclamation mark
> ipt_helper.c:51: incompatible types in assignment
> ipt_helper.c:67: structure has no member named `name'
> ipt_helper.c:68: structure has no member named `name'
> make[3]: *** [ipt_helper.o] Error 1
> make[3]: Leaving directory `/usr/src/linux/net/ipv4/netfilter'
> make[2]: *** [first_rule] Error 2
> make[2]: Leaving directory `/usr/src/linux/net/ipv4/netfilter'
> make[1]: *** [_subdir_ipv4/netfilter] Error 2
> make[1]: Leaving directory `/usr/src/linux/net'
> make: *** [_dir_net] Error 2
>
Uh.. Dunno. I'm still no guru :o) I guess there's some patch missing ?
I started patching with ./runme submitted, and I didn't have the
problem that you have (but I did when I didn't start with
submitted...).

I read somewhere about a week ago that patching should start with
submitted, but if you go further down the line (pending, base, extra)
it looks like it checks if the kernel is patched with options of the
previous stage, only it continues where the previous one stopped.
If that is really so, then I don't understand why patching should
start at submitted instead of, let's say extra.
Can someone please explain how this actually works : if I want patches
from extra, should I really start with submitted ?


Rob

Re: ftp server issue, trying to DL 1.2.7a

[Anders Fugmann]

Rob wrote:
> ftp> dir
> 227 Entering Passive Mode (62,128,28,62,182,53).
> 
As alot of others replies the problem is when ftp enters passive mode,
the server initiates a dataconnection to your machine.

Fortunatly, is a "port" command is send first over the command channel,
in order to let the client and server know how and where this new 
connection will be established.

This can be caught by the netfilter code, and netfilter can allow this 
connection to be accepted from the server in a quite clever way, because 
netfilter is _statefull_. ipchans was not, and hence this was not possible.

The following gives an example of how netfilter can handle this:
Lets assume that you are sittin behind a iptables firewall doing nat,
and all you want is to allow users from the inside (eth0) to conenct to 
the internet through the external link (ppp0)

# First load the heper modules for the ftp protocol connection tracking.
# Delete these lines, if the modules are compiled statically into the
# kernel.
modprobe ip_conntrack_ftp
# And the nat part for the ftp protocol.
modprobe ip_nat_ftp

# Set default policies.
iptables -P INPUT drop
iptables -P FORWARD drop
iptables -P OUTPUT accept

# NAT all connections
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUEADE

# Allow the mashine to make any kind of connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED \
	-j ACCEPT

# Allow the same for machines located behind the firewall.
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
iptables -A FORWARD -o eth0 -i ppp0 -m state \
	--state ESTABLISHED,RELATED -j ACCEPT


And we are all done. The trick is to use the 'state' match. The RELATED
state will match the first packet in the data-connection from the 
ftp-server in passive mode. Any packets hereafter will be in the 
ESTABLISHED state.

As you might have noticed, there is no protocol speicifer. So this also 
works for e.g. DNS lookups (udp) and ICMP packets related to an already 
esablished connection. Statefull firewalling is just sooo great.

There is no reason for you to patch the kernel in order to do this,
this has been possible for a long time.

Regards
Anders Fugmann

-- 
Author of FIAIF
FIAIF Is An Intelligent Firewall
http://fiaif.fugmann.dhs.org

Re: ftp server issue, trying to DL 1.2.7a

[wickedsun]

[-- Attachment #1: Type: Text/Plain, Size: 3816 bytes --]

FTP Issues, round 2.


With further testing, I've noticed that it doesnt quite work. For some
unknown reason, it *seems* to work on port 21, but doesnt on other ports.
From what I understood in your post, you said it would work on any port.
(FTP, of course).

9/7/2002 8:31:12 AM PORT 192,168,0,1,4,131
9/7/2002 8:31:12 AM 200-FXP transfer: from 208.58.49.10 to 192.168.0.1
9/7/2002 8:31:12 AM 200 PORT command successful
9/7/2002 8:31:12 AM LIST
9/7/2002 8:31:13 AM 425 Could not open data connection to port 1155: No
route to host

The address does not get filtered (that FTP has automatic FXP detection.. if
the IP in the PORT command differs from the IP of the person that connected
to the FTP, it assumes its a FXP transfer.)

That was on port 8989.

On the other hand, port 21 is fine:

9/7/2002 8:35:11 AM PORT 192,168,0,1,4,137
9/7/2002 8:35:11 AM 200 PORT command successful.
9/7/2002 8:35:11 AM LIST
9/7/2002 8:35:11 AM Data Connection opened.
9/7/2002 8:35:11 AM 150 Opening ASCII mode data connection for file list.
9/7/2002 8:35:11 AM 226-Transfer complete.
9/7/2002 8:35:11 AM 370 bytes transferred in 00:00:00, 370 bytes/sec


Any ideas?


Charles


-------Original Message-------
 
From: Anders Fugmann
Date: Friday, September 06, 2002 6:30:59 AM
To: Rob
Cc: netfilter@lists.netfilter.org
Subject: Re: ftp server issue, trying to DL 1.2.7a
 
Rob wrote:
> ftp> dir
> 227 Entering Passive Mode (62,128,28,62,182,53).
> 
As alot of others replies the problem is when ftp enters passive mode,
the server initiates a dataconnection to your machine.

Fortunatly, is a "port" command is send first over the command channel,
in order to let the client and server know how and where this new 
connection will be established.

This can be caught by the netfilter code, and netfilter can allow this 
connection to be accepted from the server in a quite clever way, because 
netfilter is _statefull_. ipchans was not, and hence this was not possible.

The following gives an example of how netfilter can handle this:
Lets assume that you are sittin behind a iptables firewall doing nat,
and all you want is to allow users from the inside (eth0) to conenct to 
the internet through the external link (ppp0)

# First load the heper modules for the ftp protocol connection tracking.
# Delete these lines, if the modules are compiled statically into the
# kernel.
modprobe ip_conntrack_ftp
# And the nat part for the ftp protocol.
modprobe ip_nat_ftp

# Set default policies.
iptables -P INPUT drop
iptables -P FORWARD drop
iptables -P OUTPUT accept

# NAT all connections
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUEADE

# Allow the mashine to make any kind of connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED \
-j ACCEPT

# Allow the same for machines located behind the firewall.
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
iptables -A FORWARD -o eth0 -i ppp0 -m state \
--state ESTABLISHED,RELATED -j ACCEPT


And we are all done. The trick is to use the 'state' match. The RELATED
state will match the first packet in the data-connection from the 
ftp-server in passive mode. Any packets hereafter will be in the 
ESTABLISHED state.

As you might have noticed, there is no protocol speicifer. So this also 
works for e.g. DNS lookups (udp) and ICMP packets related to an already 
esablished connection. Statefull firewalling is just sooo great.

There is no reason for you to patch the kernel in order to do this,
this has been possible for a long time.

Regards
Anders Fugmann

-- 
Author of FIAIF
FIAIF Is An Intelligent Firewall
http://fiaif.fugmann.dhs.org



. 

[-- Attachment #2: Type: Text/HTML, Size: 5728 bytes --]

<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="IncrediMail 1.0" name=GENERATOR>
<!--IncrdiXMLRemarkStart>
<IncrdiX-Info>
<X-FID>FLAVOR00-NONE-0000-0000-000000000000</X-FID>
<X-FVER></X-FVER>
<X-CNT>;</X-CNT>
</IncrdiX-Info>
<IncrdiXMLRemarkEnd-->
</HEAD>
<BODY style="BACKGROUND-POSITION: 0px 0px; FONT-SIZE: 12pt; MARGIN: 5px 10px 10px; FONT-FAMILY: Arial" bgColor=#ffffff background="" scroll=yes ORGYPOS="0" X-FVER="3.0">
<TABLE id=INCREDIMAINTABLE cellSpacing=0 cellPadding=2 width="100%" border=0>
<TBODY>
<TR>
<TD id=INCREDITEXTREGION style="FONT-SIZE: 12pt; CURSOR: auto; FONT-FAMILY: Arial" width="100%">
<DIV>FTP Issues, round 2.</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>With further testing, I've noticed that it doesnt quite work. For some unknown reason, it&nbsp;*seems* to work on port 21, but doesnt on other ports. From what I understood&nbsp;in your post, you said it would work on any port. (FTP, of course).</DIV>
<DIV>&nbsp;</DIV>
<DIV>9/7/2002 8:31:12 AM PORT 192,168,0,1,4,131<BR>9/7/2002 8:31:12 AM 200-FXP transfer: from 208.58.49.10 to 192.168.0.1<BR>9/7/2002 8:31:12 AM 200 PORT command successful<BR>9/7/2002 8:31:12 AM LIST<BR>9/7/2002 8:31:13 AM 425 Could not open data connection to port 1155: No route to host<BR></DIV>
<DIV>The address does not get filtered (that FTP has automatic FXP detection.. if the IP in the PORT command differs from the IP of the person that connected to the FTP, it assumes its a FXP transfer.)</DIV>
<DIV>&nbsp;</DIV>
<DIV>That was on port 8989.</DIV>
<DIV>&nbsp;</DIV>
<DIV>On the other hand, port 21 is fine:</DIV>
<DIV>&nbsp;</DIV>
<DIV>9/7/2002 8:35:11 AM PORT 192,168,0,1,4,137<BR>9/7/2002 8:35:11 AM 200 PORT command successful.<BR>9/7/2002 8:35:11 AM LIST<BR>9/7/2002 8:35:11 AM Data Connection opened.<BR>9/7/2002 8:35:11 AM 150 Opening ASCII mode data connection for file list.<BR>9/7/2002 8:35:11 AM 226-Transfer complete.<BR>9/7/2002 8:35:11 AM 370 bytes transferred in 00:00:00, 370 bytes/sec<BR></DIV>
<DIV>&nbsp;</DIV>
<DIV>Any ideas?</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>Charles</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV id=IncrediOriginalMessage><I>-------Original Message-------</I></DIV>
<DIV>&nbsp;</DIV>
<DIV id=receivestrings>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>From:</B></I> <A href="mailto:afu@fugmann.dhs.org">Anders Fugmann</A></DIV>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>Date:</B></I> Friday, September 06, 2002 6:30:59 AM</DIV>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>To:</B></I> <A href="mailto:rwideman@austin.rr.com">Rob</A></DIV>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>Cc:</B></I> <A href="mailto:netfilter@lists.netfilter.org">netfilter@lists.netfilter.org</A></DIV>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>Subject:</B></I> Re: ftp server issue, trying to DL 1.2.7a</DIV></DIV>
<DIV>&nbsp;</DIV>Rob wrote:<BR>&gt; ftp&gt; dir<BR>&gt; 227 Entering Passive Mode (62,128,28,62,182,53).<BR>&gt; <BR>As alot of others replies the problem is when ftp enters passive mode,<BR>the server initiates a dataconnection to your machine.<BR><BR>Fortunatly, is a "port" command is send first over the command channel,<BR>in order to let the client and server know how and where this new <BR>connection will be established.<BR><BR>This can be caught by the netfilter code, and netfilter can allow this <BR>connection to be accepted from the server in a quite clever way, because <BR>netfilter is _statefull_. ipchans was not, and hence this was not possible.<BR><BR>The following gives an example of how netfilter can handle this:<BR>Lets assume that you are sittin behind a iptables firewall doing nat,<BR>and all you want is to allow users from the inside (eth0) to conenct to <BR>the internet through the external link (ppp0)<BR><BR># First load the heper modules for the ftp protocol connection tracking.<BR># Delete these lines, if the modules are compiled statically into the<BR># kernel.<BR>modprobe ip_conntrack_ftp<BR># And the nat part for the ftp protocol.<BR>modprobe ip_nat_ftp<BR><BR># Set default policies.<BR>iptables -P INPUT drop<BR>iptables -P FORWARD drop<BR>iptables -P OUTPUT accept<BR><BR># NAT all connections<BR>iptables -t nat -A POSTROUTING -o ppp0 -j MASQUEADE<BR><BR># Allow the mashine to make any kind of connections.<BR>iptables -A INPUT -m state --state ESTABLISHED,RELATED \<BR>-j ACCEPT<BR><BR># Allow the same for machines located behind the firewall.<BR>iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT<BR>iptables -A FORWARD -o eth0 -i ppp0 -m state \<BR>--state ESTABLISHED,RELATED -j ACCEPT<BR><BR><BR>And we are all done. The trick is to use the 'state' match. The RELATED<BR>state will match the first packet in the data-connection from the <BR>ftp-server in passive mode. Any packets hereafter will be in the <BR>ESTABLISHED state.<BR><BR>As you might have noticed, there is no protocol speicifer. So this also <BR>works for e.g. DNS lookups (udp) and ICMP packets related to an already <BR>esablished connection. Statefull firewalling is just sooo great.<BR><BR>There is no reason for you to patch the kernel in order to do this,<BR>this has been possible for a long time.<BR><BR>Regards<BR>Anders Fugmann<BR><BR>-- <BR>Author of FIAIF<BR>FIAIF Is An Intelligent Firewall<BR><A href="http://fiaif.fugmann.dhs.org">http://fiaif.fugmann.dhs.org</A><BR><BR><BR><BR>. </TD></TR>
<TR>
<TD id=INCREDIFOOTER width="100%">
<TABLE cellSpacing=0 cellPadding=0 width="100%">
<TBODY>
<TR>
<TD width="100%"></TD>
<TD id=INCREDISOUND vAlign=bottom align=middle></TD>
<TD id=INCREDIANIM vAlign=bottom align=middle></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></BODY></HTML>

Re: ftp server issue, trying to DL 1.2.7a

[Anders Fugmann]

wickedsun wrote:
> FTP Issues, round 2.
>  
>  
> With further testing, I've noticed that it doesnt quite work. For some 
> unknown reason, it *seems* to work on port 21, but doesnt on other 
Seems or does?

> ports. From what I understood in your post, you said it would work on 
> any port. (FTP, of course).

>  
No. The ftp connection tracking module only monitors on port 21. Because 
it has to examine all packets beeing send though, it would simple be too 
much work to monitor any connection made. If you want it to monitor 
other ports also, you can compile the ftp connection tracking as a 
module, and then use:
modprobe ip_conntrack_ftp 21,5006
to let it listen on ports 21 and 5006.

I do not know if there is any way to make this work with 
ftp_connection_tracking statically compiled in the kernel.

Regards
Anders Fugmann

-- 
Author of FIAIF
FIAIF Is An Intelligent Firewall
http://fiaif.fugmann.dhs.org

Re: ftp server issue, trying to DL 1.2.7a

[wickedsun]

[-- Attachment #1: Type: Text/Plain, Size: 1331 bytes --]

Ahh yes, that makes sense. It's behaving like the old ip_masq_ftp module.
Thanks for the info, again ;)

Charles
 
-------Original Message-------
 
From: Anders Fugmann
Date: Saturday, September 07, 2002 10:27:31 AM
To: wickedsun
Cc: netfilter@lists.netfilter.org
Subject: Re: ftp server issue, trying to DL 1.2.7a
 
wickedsun wrote:
> FTP Issues, round 2.
> 
> 
> With further testing, I've noticed that it doesnt quite work. For some 
> unknown reason, it *seems* to work on port 21, but doesnt on other 
Seems or does?

> ports. From what I understood in your post, you said it would work on 
> any port. (FTP, of course).

> 
No. The ftp connection tracking module only monitors on port 21. Because 
it has to examine all packets beeing send though, it would simple be too 
much work to monitor any connection made. If you want it to monitor 
other ports also, you can compile the ftp connection tracking as a 
module, and then use:
modprobe ip_conntrack_ftp 21,5006
to let it listen on ports 21 and 5006.

I do not know if there is any way to make this work with 
ftp_connection_tracking statically compiled in the kernel.

Regards
Anders Fugmann

-- 
Author of FIAIF
FIAIF Is An Intelligent Firewall
http://fiaif.fugmann.dhs.org



. 

[-- Attachment #2: Type: Text/HTML, Size: 2995 bytes --]

<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="IncrediMail 1.0" name=GENERATOR>
<!--IncrdiXMLRemarkStart>
<IncrdiX-Info>
<X-FID>FLAVOR00-NONE-0000-0000-000000000000</X-FID>
<X-FVER></X-FVER>
<X-CNT>;</X-CNT>
</IncrdiX-Info>
<IncrdiXMLRemarkEnd-->
</HEAD>
<BODY style="BACKGROUND-POSITION: 0px 0px; FONT-SIZE: 12pt; MARGIN: 5px 10px 10px; FONT-FAMILY: Arial" bgColor=#ffffff background="" scroll=yes ORGYPOS="0" X-FVER="3.0">
<TABLE id=INCREDIMAINTABLE cellSpacing=0 cellPadding=2 width="100%" border=0>
<TBODY>
<TR>
<TD id=INCREDITEXTREGION style="FONT-SIZE: 12pt; CURSOR: auto; FONT-FAMILY: Arial" width="100%">
<DIV>Ahh yes, that makes sense.&nbsp;It's behaving like the old&nbsp;ip_masq_ftp module. Thanks for the info,&nbsp;again ;)</DIV>
<DIV>&nbsp;</DIV>
<DIV>Charles<BR>&nbsp;</DIV>
<DIV id=IncrediOriginalMessage><I>-------Original Message-------</I></DIV>
<DIV>&nbsp;</DIV>
<DIV id=receivestrings>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>From:</B></I> <A href="mailto:afu@fugmann.dhs.org">Anders Fugmann</A></DIV>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>Date:</B></I> Saturday, September 07, 2002 10:27:31 AM</DIV>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>To:</B></I> <A href="mailto:wickedsun@phreaker.net">wickedsun</A></DIV>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>Cc:</B></I> <A href="mailto:netfilter@lists.netfilter.org">netfilter@lists.netfilter.org</A></DIV>
<DIV dir=ltr style="FONT-SIZE: 11pt" <i><B>Subject:</B></I> Re: ftp server issue, trying to DL 1.2.7a</DIV></DIV>
<DIV>&nbsp;</DIV>wickedsun wrote:<BR>&gt; FTP Issues, round 2.<BR>&gt; <BR>&gt; <BR>&gt; With further testing, I've noticed that it doesnt quite work. For some <BR>&gt; unknown reason, it *seems* to work on port 21, but doesnt on other <BR>Seems or does?<BR><BR>&gt; ports. From what I understood in your post, you said it would work on <BR>&gt; any port. (FTP, of course).<BR><BR>&gt; <BR>No. The ftp connection tracking module only monitors on port 21. Because <BR>it has to examine all packets beeing send though, it would simple be too <BR>much work to monitor any connection made. If you want it to monitor <BR>other ports also, you can compile the ftp connection tracking as a <BR>module, and then use:<BR>modprobe ip_conntrack_ftp 21,5006<BR>to let it listen on ports 21 and 5006.<BR><BR>I do not know if there is any way to make this work with <BR>ftp_connection_tracking statically compiled in the kernel.<BR><BR>Regards<BR>Anders Fugmann<BR><BR>-- <BR>Author of FIAIF<BR>FIAIF Is An Intelligent Firewall<BR><A href="http://fiaif.fugmann.dhs.org">http://fiaif.fugmann.dhs.org</A><BR><BR><BR><BR>. </TD></TR>
<TR>
<TD id=INCREDIFOOTER width="100%">
<TABLE cellSpacing=0 cellPadding=0 width="100%">
<TBODY>
<TR>
<TD width="100%"></TD>
<TD id=INCREDISOUND vAlign=bottom align=middle></TD>
<TD id=INCREDIANIM vAlign=bottom align=middle></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></BODY></HTML>

Re: ftp server issue, trying to DL 1.2.7a

[Alistair Tonner]

	You need to add the parameter name:
	in this case ports.

	modprobe ip_conntrack_ftp ports=21,5006
	modprobe ip_nat_ftp ports=21.5006
	 
	or if built into the kernel, I don't believe you can pass a port
	parameter to the the module. (Just a quick glance at the
	source ... so if I'm wrong someone will hit me over the head
	I'm sure).

On 2002.09.07 09:18 Anders Fugmann wrote:
> wickedsun wrote:
>> FTP Issues, round 2.
>>   With further testing, I've noticed that it doesnt quite work. For 
>> some unknown reason, it *seems* to work on port 21, but doesnt on 
>> other
> Seems or does?
> 
>> ports. From what I understood in your post, you said it would work 
>> on any port. (FTP, of course).
> 
>> 
> No. The ftp connection tracking module only monitors on port 21. 
> Because it has to examine all packets beeing send though, it would 
> simple be too much work to monitor any connection made. If you want 
> it to monitor other ports also, you can compile the ftp connection 
> tracking as a module, and then use:
> modprobe ip_conntrack_ftp 21,5006
> to let it listen on ports 21 and 5006.
> 
> I do not know if there is any way to make this work with 
> ftp_connection_tracking statically compiled in the kernel.
> 
> Regards
> Anders Fugmann
> 
>-- 
> Author of FIAIF
> FIAIF Is An Intelligent Firewall
> http://fiaif.fugmann.dhs.org
> 
> 
> 

RE: ftp server issue, trying to DL 1.2.7a

[Rob]

new problem...I compiled the kernel and I get these errors:
**the first few lines are the actual compilation to show you where it is**
--------------
gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes -Wno-tri
graphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpre
ferred-stack-boundary=2 -march=i586   -nostdinc -I
/usr/lib/gcc-lib/i386-redhat-linux/2.96/include -DKBUILD_BASENAME=ip_nat_pro
to_tcp  -c -o ip_nat_proto_tcp.o ip_nat_proto_tcp.c
gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes -Wno-tri
graphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpre
ferred-stack-boundary=2 -march=i586   -nostdinc -I
/usr/lib/gcc-lib/i386-redhat-linux/2.96/include -DKBUILD_BASENAME=ip_nat_pro
to_udp  -c -o ip_nat_proto_udp.o ip_nat_proto_udp.c
gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes -Wno-tri
graphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpre
ferred-stack-boundary=2 -march=i586   -nostdinc -I
/usr/lib/gcc-lib/i386-redhat-linux/2.96/include -DKBUILD_BASENAME=ip_nat_pro
to_icmp  -c -o ip_nat_proto_icmp.o ip_nat_proto_icmp.c
ld -m elf_i386 -r -o iptable_nat.o ip_nat_standalone.o ip_nat_rule.o
ip_nat_helper.o ip_nat_core.o ip_nat_proto_unknown.o ip_nat_proto_tcp.o
ip_nat_proto_udp.o ip_nat_proto_icmp.o
gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes -Wno-tri
graphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpre
ferred-stack-boundary=2 -march=i586   -nostdinc -I
/usr/lib/gcc-lib/i386-redhat-linux/2.96/include -DKBUILD_BASENAME=ipt_helper
  -c -o ipt_helper.o ipt_helper.c
ipt_helper.c: In function `match':
ipt_helper.c:46: wrong type argument to unary exclamation mark
ipt_helper.c:51: incompatible types in assignment
ipt_helper.c:67: structure has no member named `name'
ipt_helper.c:68: structure has no member named `name'
make[3]: *** [ipt_helper.o] Error 1
make[3]: Leaving directory `/usr/src/linux/net/ipv4/netfilter'
make[2]: *** [first_rule] Error 2
make[2]: Leaving directory `/usr/src/linux/net/ipv4/netfilter'
make[1]: *** [_subdir_ipv4/netfilter] Error 2
make[1]: Leaving directory `/usr/src/linux/net'
make: *** [_dir_net] Error 2


Any help is appreciated. Thanks
Rob