[ale] FTP/firewall issue

James Kinney jkinney at localnetsolutions.com
Tue Jul 3 13:35:16 EDT 2001 

Shouldn't there be a --sport 20 ...
to allow access _from_  a port 20 request?
(or 21....I don't remember)

On Tue, 3 Jul 2001, Bob Kruger wrote:

> Leonard Thornton wrote:
>
> > I may be wrong, but I believe for active ftp connections, the actual data
> > connection is incoming from the outside world on port 21.  You would
> > therefore have to allow connection to port 21 from the external ethernet
> > adapter to your network.
> >
> > something like:
> >
> > usr/sbin/iptables -s 0.0.0.0/0 -i eth1 -p tcp --destination-port
> > 21 -j ALLOW
> > /usr/sbin/iptables -s 0.0.0.0/0 -i eth1 -p udp --destination-port
> > 21 -j ALLOW
> >
>
> Well, that is open for the LAN.
>
> If I do the following, the FTP connection can be made and the directories listed:
>
> /usr/sbin/iptables -s 192.168.2.0/24 -i eth1 -j ALLOW
>
> So, as long as I open up everything (all ports and protocols) via the firewall to
> the office LAN, the ftp session can be made and the directories listed.  It does
> not have to be opened up to the entire world (thankfully)
>
> If I omit the line above and do the following:
>
> /usr/sbin/iptables -p udp -s 192.168.2.0/24 --destination-port 20 -i
> eth1 -j ALLOW
> /usr/sbin/iptables -p tcp -s 192.168.2.0/24 --destination-port 20 -i
> eth1 -j ALLOW
> /usr/sbin/iptables -p udp -s 192.168.2.0/24 --destination-port 21 -i
> eth1 -j ALLOW
> /usr/sbin/iptables -p tcp -s 192.168.2.0/24 --destination-port 21 -i
> eth1 -j ALLOW
>
> Then the entire office LAN can log in on an active ftp session, but can not do a
> directory listing.
>
> This tells me that there is another port or protocol that has to be turned on from
> the firewall.
>
> Any ideas?
>
> Regards - Bob Kruger
>
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
>

-- 
James P. Kinney III   \Changing the mobile computing world/
President and COO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list