Im not sure, what part you seem to think is not working. I and most people I
know run ip_masq_ftp and it seems to be working just fine. Even able to connect to
GA Tech and the likes, provided the Masquerading boxes IP is properly revere
resolved in DNS.
Im curios if anyone has managed to get the bridging firewall features working
in Linux? That would be the ultimate firewall, though I doubt it would be capable
of masquerading( would kind of defeat the purpose of bridging, wouldn't it? ).
Randy Janinda wrote:
> On Thu, Apr 27, 2000 at 01:23:40PM -0400, Eric Schmenk decided:
> > I'm using a 486 running Red Hat 6.2 as a firewall. I've just set up
> > ipchains. So far it seems to be working OK, except I can't get a directory
> > listing of FTP sites from my masqueraded boxes.
> >
> -------------snip------------------->
> > According to the IP-masquerading how-to, FTP clients should work on
> > masqueraded boxes for "all supported platforms, with the ip_masq_ftp.o
> > kernel module for active FTP connections". OK, so it seems like the thing
> > to do is to make sure I've got the ip_masq_ftp.o kernel module doing its
> > thing.
> >
> > Would someone point me to some resources about how to check which kernel
> > modules are activated? I've never tried messing with the kernel modules.
> > Also, anyone have any other suggestions?
> >
> > TIA
> >
> > Eric Schmenk
> >
>
> I have played with this until I got a head ache. It seems the ip_masq_ftp module
> doesn't work as advertised. I have written a quick perl script that works fairly
> well. What it does it watches for outgoing FTP connections and adds a rule to
> your existing chains that allows connections from the FTP server. (Yes, I know
> the FTP protocol states that the return data can be from a completely different
> host the the one the commands are sent to). This script works for servers that
> return the data using the "ftp-data" port as well as the ones (like Windows
> based ones) that like to return the data on some high number ports. The
> assumption of the script is, you made the connection to the server, therefore
> you must want the server to be allowed to connect back to you. This does open a
> few potential problems. The nice thing is, when the connection ends, the rule is
> deleted.
>
> A few variations:
>
> If you run this script on a firewall and try to FTP from a MASQ'ed host the file
> that is read is /proc/net/ip_masq/tcp.
>
> If you run this script and ipchains on the same box as you are FTP'ing from the
> file needs to be /proc/net/tcp.
>
> Make your changes accordingly.
>
> The script is attached and open for comments.
>
> --
> Randy Janinda
>
> ------------------------------------------------------------------------
>
> listenName: listen
> Type: Plain Text (text/plain)
--
Strider Centaur
http://www.Scifi-Fantasy.com
" It is my observation that unless you really understand the issues, you are
hardly in a position to criticize. Nearly all Linux users have used Windows,
but very few Windows users have used Linux. " -- Me
--
To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.