* ftp connection tracking
@ 2003-07-29 11:22 Axel Heinrici
2003-07-29 11:41 ` Cedric Blancher
2003-07-29 12:52 ` ftp connection tracking Andrew J. Meader
0 siblings, 2 replies; 9+ messages in thread
From: Axel Heinrici @ 2003-07-29 11:22 UTC (permalink / raw)
To: netfilter
Hi
I have problem connecting to a ftp-server on a non-standard port. I
remember there was an option to be set upon inserting the
kernel-module. The documentation on module-options seems a little weird
to me, and I can't find a clear answer.
The Situation is simple. My computer and the router/firewall have
non-private IPs. Hence no Masquerading/SNAT is done. But the firewall
has to be set up denying any connection going out except for services
allowed explicitly. FTP is working fine (even active) when connecting
to servers on port 21.
What options do I have to aply when inserting the modules?
greetings
Axel
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ftp connection tracking
2003-07-29 11:22 ftp connection tracking Axel Heinrici
@ 2003-07-29 11:41 ` Cedric Blancher
2003-07-29 15:22 ` ftp connection tracking (solved) Axel Heinrici
2003-07-29 12:52 ` ftp connection tracking Andrew J. Meader
1 sibling, 1 reply; 9+ messages in thread
From: Cedric Blancher @ 2003-07-29 11:41 UTC (permalink / raw)
To: Axel Heinrici; +Cc: netfilter
Le mar 29/07/2003 à 13:22, Axel Heinrici a écrit :
> I have problem connecting to a ftp-server on a non-standard port.
[...]
> What options do I have to aply when inserting the modules?
As far as I can remember :
modprobe ip_conntrack_ftp port=21,2121
You can track 8 ports this way.
As a more general way to get modules options, use modinfo command.
Unfortunately, I do not have ip_conntrack_ftp built as module, but this
what you can get :
cbr@elendil:~$ modinfo bonding
filename: /lib/modules/2.4.20/kernel/drivers/net/bonding.o
description: <none>
author: <none>
license: "GPL"
parm: max_bonds int, description "Max number of bonded devices"
parm: miimon int, description "Link check interval in
milliseconds"
parm: mode int, description "Mode of operation : 0 for round
robin, 1 for active-backup, 2 for xor"
parm: arp_interval int, description "arp interval in
milliseconds"
parm: arp_ip_target string, description "arp target in n.n.n.n
form"
parm: updelay int, description "Delay before considering link up,
in milliseconds"
parm: downdelay int, description "Delay before considering link
down, in milliseconds"
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ftp connection tracking
2003-07-29 11:22 ftp connection tracking Axel Heinrici
2003-07-29 11:41 ` Cedric Blancher
@ 2003-07-29 12:52 ` Andrew J. Meader
2003-07-29 13:58 ` Axel Heinrici
1 sibling, 1 reply; 9+ messages in thread
From: Andrew J. Meader @ 2003-07-29 12:52 UTC (permalink / raw)
To: Axel Heinrici; +Cc: netfilter
Hi,
I just ran into this just yesterday. I was forgetting to load
ip_conntrack_ftp in my iptables init script. For grins, here is a snip
from my init script:
# Firewall Modules ~ assuming modularized kernel
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
YMMV - your modules may vary :)
ajm
Axel Heinrici wrote:
>Hi
>
>I have problem connecting to a ftp-server on a non-standard port. I
>remember there was an option to be set upon inserting the
>kernel-module. The documentation on module-options seems a little weird
>to me, and I can't find a clear answer.
>The Situation is simple. My computer and the router/firewall have
>non-private IPs. Hence no Masquerading/SNAT is done. But the firewall
>has to be set up denying any connection going out except for services
>allowed explicitly. FTP is working fine (even active) when connecting
>to servers on port 21.
>What options do I have to aply when inserting the modules?
>
>greetings
> Axel
>
>
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ftp connection tracking
2003-07-29 12:52 ` ftp connection tracking Andrew J. Meader
@ 2003-07-29 13:58 ` Axel Heinrici
2003-07-29 14:50 ` Andrew J. Meader
0 siblings, 1 reply; 9+ messages in thread
From: Axel Heinrici @ 2003-07-29 13:58 UTC (permalink / raw)
To: netfilter
Hi
On Tuesday 29 July 2003 14:52, Andrew J. Meader wrote:
> Hi,
>
> I just ran into this just yesterday. I was forgetting to load
> ip_conntrack_ftp in my iptables init script. For grins, here is a
> snip from my init script:
That is not the problem. The module is loaded. But the module doesn't
track FTP-connections on non-standard ports. So FTP-connections to
theses servers are not "allowed" by the "iptables .... -m --state
RELATED,ESTABLISHED ...."-stuff.
>
> # Firewall Modules ~ assuming modularized kernel
> /sbin/modprobe ip_tables
> /sbin/modprobe iptable_nat
> /sbin/modprobe ip_conntrack
> /sbin/modprobe ip_conntrack_ftp
>
> YMMV - your modules may vary :)
greetings
Axel
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ftp connection tracking
2003-07-29 13:58 ` Axel Heinrici
@ 2003-07-29 14:50 ` Andrew J. Meader
0 siblings, 0 replies; 9+ messages in thread
From: Andrew J. Meader @ 2003-07-29 14:50 UTC (permalink / raw)
To: Axel Heinrici; +Cc: netfilter
Ah, I see your point. I don't think I will be of much help to you.
However, I'm sure someone else in the community has walked this path
before. Good luck.
ajm
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ftp connection tracking (solved)
2003-07-29 11:41 ` Cedric Blancher
@ 2003-07-29 15:22 ` Axel Heinrici
0 siblings, 0 replies; 9+ messages in thread
From: Axel Heinrici @ 2003-07-29 15:22 UTC (permalink / raw)
To: netfilter
Hi
On Tuesday 29 July 2003 13:41, Cedric Blancher wrote:
> Le mar 29/07/2003 à 13:22, Axel Heinrici a écrit :
> > I have problem connecting to a ftp-server on a non-standard port.
>
> [...]
>
> > What options do I have to aply when inserting the modules?
>
> As far as I can remember :
>
> modprobe ip_conntrack_ftp port=21,2121
>
> You can track 8 ports this way.
To avoid anyone is searching the archives and getting insane later.....
The correct parameter is "ports" and not "port" :-)
Axel
^ permalink raw reply [flat|nested] 9+ messages in thread
* ftp connection tracking
@ 2003-08-27 17:36 David Luyens
2003-08-31 10:48 ` Ralf Spenneberg
2003-09-01 1:04 ` Alistair Tonner
0 siblings, 2 replies; 9+ messages in thread
From: David Luyens @ 2003-08-27 17:36 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 224 bytes --]
Hi,
When a change the portnumber of my ftp deamon, the connection tracking
of netfilter does not work anymore.
Is it possible to say to netfilter to look at a different port (than 21)
for ftp connections?
David Luyens
[-- Attachment #2: Type: text/html, Size: 860 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ftp connection tracking
2003-08-27 17:36 David Luyens
@ 2003-08-31 10:48 ` Ralf Spenneberg
2003-09-01 1:04 ` Alistair Tonner
1 sibling, 0 replies; 9+ messages in thread
From: Ralf Spenneberg @ 2003-08-31 10:48 UTC (permalink / raw)
To: David Luyens; +Cc: Netfilter
Am Mit, 2003-08-27 um 19.36 schrieb David Luyens:
> Hi,
>
> When a change the portnumber of my ftp deamon, the connection tracking
> of netfilter does not work anymore.
> Is it possible to say to netfilter to look at a different port (than
> 21) for ftp connections?
Yes, see:
# modinfo ip_conntrack_ftp
filename:
/lib/modules/2.4.20-20.9/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
description: <none>
author: <none>
license: "GPL"
parm: ports int array (min = 1, max = 8)
parm: loose int
You can define the ports when loading the ip_conntrack_ftp module.
Cheers,
Ralf
--
Ralf Spenneberg
RHCE, RHCX
Book: Intrusion Detection für Linux Server http://www.spenneberg.com
IPsec-Howto http://www.ipsec-howto.org
Honeynet Project Mirror: http://honeynet.spenneberg.org
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ftp connection tracking
2003-08-27 17:36 David Luyens
2003-08-31 10:48 ` Ralf Spenneberg
@ 2003-09-01 1:04 ` Alistair Tonner
1 sibling, 0 replies; 9+ messages in thread
From: Alistair Tonner @ 2003-09-01 1:04 UTC (permalink / raw)
To: David Luyens, netfilter
On August 27, 2003 01:36 pm, David Luyens wrote:
> Hi,
>
> When a change the portnumber of my ftp deamon, the connection tracking
> of netfilter does not work anymore.
> Is it possible to say to netfilter to look at a different port (than 21)
> for ftp connections?
>
> David Luyens
Not sure what the kernel command line would be but if you use modules
to load
ip_conntrack_ftp
ip_nat_ftp
modinfo ip_conntrack_ftp
you pass the new port as an option to the module when it loads.
insmod ip_nat_ftp ports=xx,xx
--
Alistair Tonner
nerdnet.ca
Senior Systems Analyst - RSS
Any sufficiently advanced technology will have the appearance of magic.
Lets get magical!
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2003-09-01 1:04 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-07-29 11:22 ftp connection tracking Axel Heinrici
2003-07-29 11:41 ` Cedric Blancher
2003-07-29 15:22 ` ftp connection tracking (solved) Axel Heinrici
2003-07-29 12:52 ` ftp connection tracking Andrew J. Meader
2003-07-29 13:58 ` Axel Heinrici
2003-07-29 14:50 ` Andrew J. Meader
-- strict thread matches above, loose matches on Subject: below --
2003-08-27 17:36 David Luyens
2003-08-31 10:48 ` Ralf Spenneberg
2003-09-01 1:04 ` Alistair Tonner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox