On Thu, Apr 27, 2000 at 01:23:40PM -0400, Eric Schmenk decided:
> I'm using a 486 running Red Hat 6.2 as a firewall. I've just set up
> ipchains. So far it seems to be working OK, except I can't get a directory
> listing of FTP sites from my masqueraded boxes.
>
-------------snip------------------->
> According to the IP-masquerading how-to, FTP clients should work on
> masqueraded boxes for "all supported platforms, with the ip_masq_ftp.o
> kernel module for active FTP connections". OK, so it seems like the thing
> to do is to make sure I've got the ip_masq_ftp.o kernel module doing its
> thing.
>
> Would someone point me to some resources about how to check which kernel
> modules are activated? I've never tried messing with the kernel modules.
> Also, anyone have any other suggestions?
>
> TIA
>
> Eric Schmenk
>
I have played with this until I got a head ache. It seems the ip_masq_ftp module
doesn't work as advertised. I have written a quick perl script that works fairly
well. What it does it watches for outgoing FTP connections and adds a rule to
your existing chains that allows connections from the FTP server. (Yes, I know
the FTP protocol states that the return data can be from a completely different
host the the one the commands are sent to). This script works for servers that
return the data using the "ftp-data" port as well as the ones (like Windows
based ones) that like to return the data on some high number ports. The
assumption of the script is, you made the connection to the server, therefore
you must want the server to be allowed to connect back to you. This does open a
few potential problems. The nice thing is, when the connection ends, the rule is
deleted.
A few variations:
If you run this script on a firewall and try to FTP from a MASQ'ed host the file
that is read is /proc/net/ip_masq/tcp.
If you run this script and ipchains on the same box as you are FTP'ing from the
file needs to be /proc/net/tcp.
Make your changes accordingly.
The script is attached and open for comments.
--
Randy Janinda
text/plain attachment: listen
--
To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.