I can't get FC4's Lokkit to play nice with vsftpd. I check the box for ftp and it will not open up a conection. Now if I select to trust eth0 it works but than I'm not firewalling anything right? Is there a way to edit iptables by hand, if so what entries should I put in? Is there a better firewall out there that works good with FC4?

Thanks,
Mike

I can't get FC4's Lokkit to play nice with vsftpd. I check the box for ftp and it will not open up a conection.
Does the ftp client show any useful specific error(codes)?


Now if I select to trust eth0 it works but than I'm not firewalling anything right?
I don't know. Never used Lokkit. Doesn't the documentation tell?


Is there a way to edit iptables by hand, if so what entries should I put in?
By default the rules should be in /etc/sysconfig/iptables.
Post the contants and we'll see.


Is there a better firewall out there that works good with FC4?
There is no firewall but Iptables, you mean a better *front-end*. No recommendations from me there, I prefer to use vi from the commandline. I knwo there's lot's of front-ends, check the FC4 repositories using your favourite package management update tool (synaptic, apt-get, yum, autoupd) or search LQ or search Freshmeat.net.

Here is what my iptable looks like with ftp and ssh checked and trust eth0 checked.

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

This works and I can get ftp though, but it looks like it lets every thing past.

Here it is with out the eth0 box checked and ftp does not work but ssh does.

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

The only thing I can see different is the line:

-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT

So there must be something wong with my rule for ftp.

Active FTP needs inbound (NEW) access to the control channel (tcp/21), inbound (ESTABLISHED,RELATED) for the data portion and outbound NEW (OUTPUT policy ACCEPT). In your second example they're all there, so I would try a "modprobe ip_conntrack_ftp" if that module isn't loaded. This will help Iptables track the data portion connections (ESTABLISHED,RELATED) it otherwise would not know about. If that still ain't working, and there's no router in front blocking ports, add a line above the "--reject-with icmp-host-prohibited" line:
-A RH-Firewall-1-INPUT -j LOG --log-level info --log-prefix " REJECT"
to have all traffic logged (usually to /var/log/messages) before it's dropped. Good for debugging.

cool it looks like modprobe worked thank you.

Mike

I lied it didn't work so I put in the other line into my iptable and this is what I ended up with in the log.

Jan 2 22:12:28 desktop kernel: REJECTIN=eth0 OUT= MAC=00:11:2f:d1:c6:a6:00:12:17:ba:82:6c:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=11559 DF PROTO=TCP SPT=52754 DPT=37717 WINDOW=5840 RES=0x00 SYN URGP=0

I'm not real sure what any of the means.

Mike

I lied it didn't work
Can you verify the contents are still the same as when you made the changes? AFAIK if you use iptables restart it might use iptables-save to save the in-memory rules and so overwrite changes. You should use iptables start after making changes to /etc/sysconfig/iptables.

I'm not real sure what any of the means.
In short a TCP traffic initiation request from 192.168.1.1 (port 52754) to 192.168.1.2 (port 37717) was rejected. Doesn't seem FTP related to me.

From your second example, add two lines below "-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT". Note spaces in the logline are intentional else itll fsck up your syslog:
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -j LOG --log-level info --log-prefix " ALLOW_LAN "
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -j ACCEPT
What this will do is just allow any traffic from your 192.168.1.0 LAN. It's not what you want, but it'll work.