[ale] FTP/firewall issue
    Bob Kruger 
    krugerb at benning.army.mil
       
    Tue Jul  3 09:50:52 EDT 2001
    
    
  
tewkewl at mindspring.com wrote:
> What firewall is this?  Is this ipchains/tables or is it a 'namebrand'?
>
> If it is a stateful inspection type firewall, make sure stateful inspection is enabled.
>
> If it is not, then make sure you have port 21(tcp) open for control coming in to the server.  And port 20(udp/tcp) for data.  These are the only two ports used for active ftp.  If it is a linux/unix box, run two sessions of tcpdump on the internal/dmz nic and external nic and compare the data when a user tries to log in.
>
Firewall is iptables.
FTP daemon is Proftpd
Ports 20 and 21 are opened up for both tcp and udp for the LAN using the following:
/usr/sbin/iptables -A INPUT -p udp -s 192.168.2.0/24 --destination-port 20 -i
eth1 -j ALLOW
/usr/sbin/iptables -A INPUT -p tcp -s 192.168.2.0/24 --destination-port 20 -i
eth1 -j ALLOW
/usr/sbin/iptables -A INPUT -p udp -s 192.168.2.0/24 --destination-port 21 -i
eth1 -j ALLOW
/usr/sbin/iptables -A INPUT -p tcp -s 192.168.2.0/24 --destination-port 21 -i
eth1 -j ALLOW
Users can log in, but can not list the directories.
The following allows everyone in the LAN to ftp in and do a successful "ls"
/usr/sbin/iptables -A INPUT  -s 192.168.2.0/24 -i eth1 -j ALLOW
In this example, I place no restrictions on ports or protocols for the LAN.
So, there is something else missing that needs to be turned on.  Any ideas?
Regards - Bob Kruger
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
    
    
More information about the Ale
mailing list