Re: ftp issue cont.

["R. DuFresne" <dufresne@xxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



A good place to start might be man lsmod

Thanks,

Ron DuFresne

On Tue, 16 Aug 2005 varun_saa@xxxxxxxx wrote:

> Thanks Jorg,
>           I get the following for lsmod :
>
> [root@squidserver ~]# lsmod | grep conntrack
> ip_conntrack           41497  3 ipt_state,ipt_MASQUERADE,iptable_nat
>
> So how do I add :
>
>           ip_conntrack_ftp
>           ipt_conntrack
>
> And yes it is :
>               -A FORWARD -j DROP
>
> Thanks again
>
> Varun
>
>
>
>
>
> ----- Original Message -----
> From: Jörg Harmuth <harmuth@xxxxxxxxx>
> Date: Monday, August 15, 2005 4:29 pm
> Subject: Re: ftp issue cont.
>
> > varun_saa@xxxxxxxx schrieb:
> > > Thanks Jorg,
> > >             How to find out if ftp-module is loaded or
> > > not.
> >
> > e.g.
> >
> > lsmod | grep conntrack
> >
> > gives on my box:
> >
> > ip_conntrack_ftp        3680   0  (unused)
> > ipt_conntrack           1120   0  (autoclean)
> > ip_conntrack           26484   1  (autoclean) [ip_conntrack_ftp ...
> >
> > > Thanks
> > >
> > > Varun
> > >
> > > ----- Original Message -----
> > > From: Jörg Harmuth <harmuth@xxxxxxxxx>
> > > Date: Monday, August 15, 2005 2:43 pm
> > > Subject: Re: ftp issue cont.
> > >
> > >
> > > > Derick Anderson schrieb:
> > > >
> > > > > FTP passive mode creates an entirely new connection for data
> > > >
> > > > transfer.> It is not 'related' to the original connection and so
> >
> > > > iptables doesn't
> > > >
> > > > > pick it up as such (nor do any other stateful firewalls that I'm
> >
> > > > aware> of).
> > > >
> > > > No, not really. Iptables regards FTP data traffic as related
> > stuff. To
> > > > be more exactly, the respective helper module does so
> > > > (ip_conntrack_ftp.[k]o). So, normally all you have to do, is load
> > this
> > > > module, allow ESTABLISHED,RELATED traffic in and out and allow
> > FTP in.
> > > > This looks something like this (assumed that policies are DROP
> > and
> > > > OUTPUT is ACCEPT and also assumed that the box is directly
> > > > connected to
> > > > the internet and that the FTP server is on the firewall box):
> > > >
> > > > modprobe ip_conntrack_ftp.[k]o
> > > >
> > > > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > > > iptables -A INPUT -p tcp --dport 21 --syn -j ACCEPT
> > > >
> > > > This will work for active and passive FTP. If the ftp-module
> > isn't on
> > > > the system in question, varun_saa has to configure the kernel
> > > > correctlyand recompile as needed.
> > > >
> > > > BTW, the original ruleset didn't explain anything. IN|OUTPUT ==
> > ACCEPT
> > > > and in FORWARD no rule concerning FTP. So, what is this guy doing
> > ? If
> > > > the FTP server is on the firewall box, there is no iptables
> > problem at
> > > > all (on this box). If not, there are no rules that permit FTP and
> > thus
> > > > it cannot work. The whole thing looks quite mysterious to me,
> > > > includingthe -P issue Rob mentioned. May be a tiny ASCII art
> > > > network picture
> > > > would clarify the situation :)
> > > >
> > > > Have a nice time,
> > > >
> > > > Joerg
> > >
> > >
> > >
> > > !DSPAM:430073677568926616419!

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDAmNYst+vzJSwZikRAokXAJ47aeytIFGoZOoWdxPPTbkz3U587QCgwpN5
GS3EPRxQi7Jf/t+dC/1UhDk=
=GPSL
-----END PGP SIGNATURE-----