LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-30-2005, 02:11 AM   #1
vmeli
LQ Newbie
 
Registered: Jun 2005
Posts: 7

Rep: Reputation: 0
firewall and secure ftp


I'm trying to connect to a ftp that uses Auth TLS and my firewall keeps denning data connections. I log on,I get authentication but when I try to list nothing.I know that I have to make my firewall accept connections from port 20 to a high port but I don't know how. I'm using SuSE 9.3 Pro.

If I disable my firewall or if the connection is without Auth TLS, I have no problem.
 
Old 06-30-2005, 02:42 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Re: firewall and secure ftp

Quote:
Originally posted by vmeli
I'm trying to connect to a ftp that uses Auth TLS and my firewall keeps denning data connections. I log on,I get authentication but when I try to list nothing.I know that I have to make my firewall accept connections from port 20 to a high port but I don't know how. I'm using SuSE 9.3 Pro.

If I disable my firewall or if the connection is without Auth TLS, I have no problem.
see if you have the ip_conntrack_ftp module loaded:
Code:
lsmod | grep ip_conntrack_ftp
if you don't have it loaded, then load it:
Code:
modprobe ip_conntrack_ftp
then try to access the FTP site again and let us know if it works...
 
Old 06-30-2005, 02:43 AM   #3
tkedwards
Senior Member
 
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549

Rep: Reputation: 52
Have you looked in /var/log/messages to see if there's any logging of the packets that are dropped or rejected? What port do those messages show?
 
Old 06-30-2005, 02:51 AM   #4
vmeli
LQ Newbie
 
Registered: Jun 2005
Posts: 7

Original Poster
Rep: Reputation: 0
yes, ip_conntrack_ftp module is loaded, but still nothing
Code:
ip_conntrack_ftp       72592  1 ip_nat_ftp
ip_conntrack           42168  4 ipt_state,ip_nat_ftp,iptable_nat,ip_conntrack_ftp
 
Old 06-30-2005, 02:58 AM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
what do your iptables look like??
Code:
iptables -L

iptables -t nat -L
 
Old 06-30-2005, 03:03 AM   #6
vmeli
LQ Newbie
 
Registered: Jun 2005
Posts: 7

Original Poster
Rep: Reputation: 0
iptables -L

Code:
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
input_ext  all  --  anywhere             anywhere
input_ext  all  --  anywhere             anywhere
input_ext  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '

Chain forward_ext (0 references)
target     prot opt source               destination

Chain input_ext (3 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp redirect
ACCEPT     hmp  --  anywhere             anywhere
ACCEPT     prm  --  anywhere             anywhere
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpts:scol:h323hostcallsc flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:scol:h323hostcallsc
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:ftp-data flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:ftp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:ms-wbt-server flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ms-wbt-server
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:ftps-data flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftps-data
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:ftps flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftps
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:ftp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
reject_func  tcp  --  anywhere             anywhere            tcp dpt:ident state NEW
ACCEPT     udp  --  anywhere             anywhere            udp dpts:scol:h323hostcallsc
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ftp-data
ACCEPT     udp  --  anywhere             anywhere            udp dpt:fsp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ms-wbt-server
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ftps-data
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ftps
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG        udp  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT-INV '
DROP       all  --  anywhere             anywhere

Chain reject_func (1 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-proto-unreachable

iptables -t nat -L

Code:
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
Old 06-30-2005, 03:20 AM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
that setup looks like it should work to me... i can't imagine why the packets would get filtered... have you checked your logs?? do they show anything when you try to list??
 
Old 06-30-2005, 03:28 AM   #8
vmeli
LQ Newbie
 
Registered: Jun 2005
Posts: 7

Original Poster
Rep: Reputation: 0
No, nothing. I'm sure that it's something about Auth TLS becuase when I don't use it everything works. Perhaps it uses some other ports that I don't know.
 
Old 06-30-2005, 03:44 AM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
have you tried passive mode??
 
Old 06-30-2005, 04:13 AM   #10
vmeli
LQ Newbie
 
Registered: Jun 2005
Posts: 7

Original Poster
Rep: Reputation: 0
The ftp server uses only active mode.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
firewall cant make me secure!!help vermaamitabh Linux - Security 1 11-02-2004 08:46 AM
is this secure without a firewall? shanenin Linux - Security 2 01-09-2004 02:56 AM
Compaq Router Firewall secure? cjpsparks Linux - Security 6 11-02-2003 08:50 PM
How secure is the D-Link firewall? /bin/bash Linux - Security 1 09-19-2003 08:46 AM
Secure samba through firewall Leffe Linux - Software 0 07-16-2002 08:58 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration