From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Roman Gavrilov" Subject: iptables and ftp Date: Sat, 22 Feb 2003 22:20:11 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <023001c2daaf$cd19fe80$020010ac@romio> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_022D_01C2DAC0.90982020" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------=_NextPart_000_022D_01C2DAC0.90982020 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: quoted-printable Hello, My question is about ftp and ftp data connections. I know this subject has been heavily discussed but still ... I set up my firewall to allow connections to 21 and 20 ports. I also allowed connections to high ports from outside from port 20. and of course I enabled all established and related connections. But when ever I connect to my ftp server and issuing "ls" command it = stacks. In the firewall I see : Feb 22 04:07:46 hostname IN=3Deth0 OUT=3D = MAC=3D00:e0:18:d3:1b:4b:00:90:5f:0d:64:38:08:00 SRC=3Dsource ip = DST=3Dmy server ip LEN=3D60 TOS=3D00 PREC=3D0x00 TTL=3D53 ID=3D41512 DF = PROTO=3DTCP SPT=3D37070 DPT=3D21773 SEQ=3D3256137382 ACK=3D0 = WINDOW=3D5648 SYN URGP=3D0 SPT=3D37070 DPT=3D21773 looks strange to me. It seems that ftp data session is trying to establish connection from a = high port to a high port. SYN means that it trying to establish connection and of course it is = dropped by the firewall. There is no sense in allowing anything from outside to servers high = ports. I think that the client should issue a connect request from a high port = to servers 20 port. And then it should match the established connection. What can be the problem ? Thanks ------=_NextPart_000_022D_01C2DAC0.90982020 Content-Type: text/html; charset="windows-1255" Content-Transfer-Encoding: quoted-printable
Hello,
 
My question is about ftp and ftp data=20 connections.
I know this subject has been heavily = discussed but=20 still ...
 
I set up my firewall to allow = connections to 21 and=20 20 ports.
 I also allowed connections to = high ports from=20 outside from port 20.
and of course I enabled all established = and related=20 connections.
 
 
But when ever I connect to my ftp = server and=20 issuing "ls" command it stacks.
In the firewall I see :
Feb 22 04:07:46 hostname IN=3Deth0 = OUT=3D=20 MAC=3D00:e0:18:d3:1b:4b:00:90:5f:0d:64:38:08:00  SRC=3Dsource = ip DST=3Dmy=20 server ip LEN=3D60 TOS=3D00 PREC=3D0x00 TTL=3D53 ID=3D41512 DF = PROTO=3DTCP SPT=3D37070=20 DPT=3D21773 SEQ=3D3256137382 ACK=3D0 WINDOW=3D5648 SYN = URGP=3D0
SPT=3D37070 DPT=3D21773 looks strange = to=20 me.
 
It seems that ftp data session is = trying to=20 establish connection from a high port to a high port.
SYN means that it trying to establish = connection=20 and of course it is dropped by the firewall.
There is no sense in allowing anything = from outside=20 to servers high ports.
 
I think that the client should issue a = connect=20 request from a high port to servers 20 port.
And then it should match the = established=20 connection.
 
What can be the problem ?
 
Thanks
 
------=_NextPart_000_022D_01C2DAC0.90982020--