[ale] FTP/firewall issue
Bob Kruger
krugerb at benning.army.mil
Tue Jul 3 09:32:07 EDT 2001
Leonard Thornton wrote:
> I may be wrong, but I believe for active ftp connections, the actual data
> connection is incoming from the outside world on port 21. You would
> therefore have to allow connection to port 21 from the external ethernet
> adapter to your network.
>
> something like:
>
> usr/sbin/iptables -s 0.0.0.0/0 -i eth1 -p tcp --destination-port
> 21 -j ALLOW
> /usr/sbin/iptables -s 0.0.0.0/0 -i eth1 -p udp --destination-port
> 21 -j ALLOW
>
Well, that is open for the LAN.
If I do the following, the FTP connection can be made and the directories listed:
/usr/sbin/iptables -s 192.168.2.0/24 -i eth1 -j ALLOW
So, as long as I open up everything (all ports and protocols) via the firewall to
the office LAN, the ftp session can be made and the directories listed. It does
not have to be opened up to the entire world (thankfully)
If I omit the line above and do the following:
/usr/sbin/iptables -p udp -s 192.168.2.0/24 --destination-port 20 -i
eth1 -j ALLOW
/usr/sbin/iptables -p tcp -s 192.168.2.0/24 --destination-port 20 -i
eth1 -j ALLOW
/usr/sbin/iptables -p udp -s 192.168.2.0/24 --destination-port 21 -i
eth1 -j ALLOW
/usr/sbin/iptables -p tcp -s 192.168.2.0/24 --destination-port 21 -i
eth1 -j ALLOW
Then the entire office LAN can log in on an active ftp session, but can not do a
directory listing.
This tells me that there is another port or protocol that has to be turned on from
the firewall.
Any ideas?
Regards - Bob Kruger
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list