From: Alexandros Papadopoulos <apapadop@cmu.edu>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter@lists.netfilter.org
Subject: Re: non-standard FTP ports and connection tracking (redux)
Date: Tue, 10 Dec 2002 11:18:52 -0500 [thread overview]
Message-ID: <200212101118.53239.apapadop@cmu.edu> (raw)
In-Reply-To: <Pine.LNX.4.33.0212100943130.9625-100000@blackhole.kfki.hu>
[-- Attachment #1: Type: text/plain, Size: 1514 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tuesday 10 December 2002 03:46, Jozsef Kadlecsik wrote:
> On Tue, 10 Dec 2002, Alexandros Papadopoulos wrote:
> > In any case, the relevant rules from the output chain are:
>
> ^^^^^^^^^^^^^^
> Isn't there a rule intented for other purposes, which blocks the
> passive data channel?
The default behavior is DROP for all chains, so if these ones don't
allow it, then it is blocked. I thought these ones were sufficient. I'm
attaching the complete ruleset I'm using.
>
> > I'd bet that the problem is that the SYN request sent from the
> > client to my server gets dropped, though. Seems like a
> > conntrack/INPUT thing.
>
> I'd setup logging rules to see where and why the connection gets
> blocked.
>
I've monitored the packets with Ethereal and seen that the problem is
the one mentioned -- the SYN packet from the client that tries to open
the data connection (when in passive mode) never makes it through the
firewall.
The question is, why doesn't connection tracking pick this up and allow
the packet to go through? (since it's a RELATED connection to a
preexisting FTP session)
Thanks
- -A
- --
http://andrew.cmu.edu/~apapadop/pub_key.asc
3DAD 8435 DB52 F17B 640F D78C 8260 0CC1 0B75 8265
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE99hPtgmAMwQt1gmURAgCAAJwMh/18DnsMuY3Zp/401XU4itDNbACdEeSj
8vvn0n0ot+Dbc0QuANY4+rY=
=9dZt
-----END PGP SIGNATURE-----
[-- Attachment #2: rules.gz --]
[-- Type: application/x-gzip, Size: 1336 bytes --]
next prev parent reply other threads:[~2002-12-10 16:18 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-12-09 22:01 non-standard FTP ports and connection tracking Kim Leandersson
2002-12-09 23:05 ` Alexandros Papadopoulos
2002-12-10 2:46 ` non-standard FTP ports and connection tracking (redux) Alexandros Papadopoulos
2002-12-10 7:52 ` Jozsef Kadlecsik
2002-12-10 8:12 ` Alexandros Papadopoulos
2002-12-10 8:46 ` Jozsef Kadlecsik
2002-12-10 16:18 ` Alexandros Papadopoulos [this message]
2002-12-12 9:16 ` Jozsef Kadlecsik
2002-12-13 6:09 ` Joel Newkirk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200212101118.53239.apapadop@cmu.edu \
--to=apapadop@cmu.edu \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox