LinuxQuestions.org
Review your favorite Linux distribution.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
Reload this Page Proftpd hangs at LIST command
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-16-2009, 04:05 PM   #1
alex95_bg
LQ Newbie
 
Registered: Feb 2009
Location: Bulgaria
Distribution: Fedora 10 x86_64
Posts: 3

Rep: Reputation: 0
Proftpd hangs at LIST command

i have a very strange problem with Proftpd 1.3.0 (the problem appeared when it was 1.2.8, i upgraded but with no result) and Debian Etch
So here's the problem:
There was a thunderstorm and my server rebooted, ext3 and mysql recovered Ok
BUt proftpd apparently didnt

I used this tutorial to set up the server with mysql

when i run it with proftpd -nd6 and try to connect i get this
Code:
 - mod_ctrls/0.9.4: binding ctrls socket to '/var/run/proftpd/proftpd.sock'
 - parsing '/etc/proftpd/proftpd.conf' configuration
 - parsing '/etc/proftpd/modules.conf' configuration
 - dispatching auth request "name2uid" to module mod_auth_file
 - dispatching auth request "name2uid" to module mod_auth_unix
 - dispatching auth request "name2uid" to module mod_auth_file
 - dispatching auth request "name2uid" to module mod_auth_unix
 - mod_tls/2.1.1: using OpenSSL 0.9.8c 05 Sep 2006
 - disabling runtime support for IPv6 connections
 - DenyFilter: compiling deny regex '\*.*/'
 - dispatching auth request "getpwnam" to module mod_radius
 - dispatching auth request "getpwnam" to module mod_ldap
 - dispatching auth request "getpwnam" to module mod_sql
 - dispatching auth request "getpwnam" to module mod_auth_file
 - dispatching auth request "getpwnam" to module mod_auth_unix
 - dispatching auth request "getgrnam" to module mod_radius
 - dispatching auth request "getgrnam" to module mod_ldap
 - dispatching auth request "getgrnam" to module mod_sql
 - dispatching auth request "getgrnam" to module mod_auth_file
 - dispatching auth request "getgrnam" to module mod_auth_unix
 - <IfModule>: using 'mod_tls.c' section at line 73
 - <IfModule>: skipping 'mod_quota.c' section at line 77
 - <IfModule>: skipping 'mod_ratio.c' section at line 81
 - <IfModule>: using 'mod_delay.c' section at line 89
 - <IfModule>: using 'mod_ctrls.c' section at line 93
 - mod_ctrls/0.9.4: closing ctrls socket '/var/run/proftpd/proftpd.sock' (3)
 - <IfModule>: using 'mod_ctrls_admin.c' section at line 101
predator.adsl - 
predator.adsl - Config for Debian:
[....]
predator.adsl - mod_ctrls/0.9.4: binding ctrls socket to '/var/run/proftpd/proftpd.sock'
predator.adsl - dispatching auth request "getgroups" to module mod_radius
predator.adsl - dispatching auth request "getgroups" to module mod_ldap
predator.adsl - dispatching auth request "getgroups" to module mod_sql
predator.adsl - dispatching auth request "getgroups" to module mod_auth_file
predator.adsl - dispatching auth request "getgroups" to module mod_auth_unix
predator.adsl - ProFTPD 1.3.0 (stable) (built Tue Nov 4 14:38:05 UTC 2008) standalone mode STARTUP
predator.adsl (192.168.1.5[192.168.1.5]) - FTP session requested from unknown class
predator.adsl (192.168.1.5[192.168.1.5]) - mod_delay/0.5: opening DelayTable '/var/run/proftpd/proftpd.delay'
predator.adsl (192.168.1.5[192.168.1.5]) - ident lookup disabled
predator.adsl (192.168.1.5[192.168.1.5]) - connected - local  : 192.168.1.6:21
predator.adsl (192.168.1.5[192.168.1.5]) - connected - remote : 192.168.1.5:37910
predator.adsl (192.168.1.5[192.168.1.5]) - FTP session opened.
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'USER alex' to mod_rewrite
[.......]
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching LOG_CMD command 'USER alex' to mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching LOG_CMD command 'USER alex' to mod_log
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_rewrite
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_tls
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_core
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_core
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_wrap
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_radius
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getgroups" to module mod_radius
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getgroups" to module mod_ldap
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getgroups" to module mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getgroups" to module mod_auth_file
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getgroups" to module mod_auth_unix
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_delay
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_auth
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "endpwent" to module mod_radius
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "endpwent" to module mod_ldap
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "endpwent" to module mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "endpwent" to module mod_auth_file
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "endpwent" to module mod_auth_unix
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "endgrent" to module mod_radius
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "endgrent" to module mod_ldap
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "endgrent" to module mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "endgrent" to module mod_auth_file
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "endgrent" to module mod_auth_unix
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching CMD command 'PASS (hidden)' to mod_auth
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getpwnam" to module mod_radius
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getpwnam" to module mod_ldap
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getpwnam" to module mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getpwnam" to module mod_auth_file
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getpwnam" to module mod_auth_unix
predator.adsl (192.168.1.5[192.168.1.5]) - stashed module 'mod_auth_unix.c' for user 'alex' in the authcache
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "gid2name" to module mod_radius
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "gid2name" to module mod_ldap
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "gid2name" to module mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - using module 'mod_auth_pam.c' to authenticate user 'alex'
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "auth" to module mod_auth_pam
predator.adsl (192.168.1.5[192.168.1.5]) - user alex authenticated by mod_auth_pam.c
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "setgrent" to module mod_radius
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "setgrent" to module mod_ldap
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "setgrent" to module mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "setgrent" to module mod_auth_file
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "setgrent" to module mod_auth_unix
predator.adsl (192.168.1.5[192.168.1.5]) - 
predator.adsl (192.168.1.5[192.168.1.5]) - Config for Debian:
[........]
predator.adsl (192.168.1.5[192.168.1.5]) - CURRENT-CLIENTS
predator.adsl (192.168.1.5[192.168.1.5]) - USER
predator.adsl (192.168.1.5[192.168.1.5]) - USER alex: Login successful.
predator.adsl (192.168.1.5[192.168.1.5]) - opening TransferLog '/var/log/proftpd/xferlog'
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getpwnam" to module mod_radius
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getpwnam" to module mod_ldap
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getpwnam" to module mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getpwnam" to module mod_auth_file
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getpwnam" to module mod_auth_unix
predator.adsl (192.168.1.5[192.168.1.5]) - stashed module 'mod_auth_unix.c' for user 'alex' in the authcache
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "setpwent" to module mod_radius
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "setpwent" to module mod_ldap
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "setpwent" to module mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "setpwent" to module mod_auth_file
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "setpwent" to module mod_auth_unix
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "setgrent" to module mod_radius
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "setgrent" to module mod_ldap
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "setgrent" to module mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "setgrent" to module mod_auth_file
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "setgrent" to module mod_auth_unix
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getpwent" to module mod_radius
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getpwent" to module mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getpwent" to module mod_auth_file
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getpwent" to module mod_auth_unix
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getgrent" to module mod_radius
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getgrent" to module mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getgrent" to module mod_auth_file
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching auth request "getgrent" to module mod_auth_unix
predator.adsl (192.168.1.5[192.168.1.5]) - Preparing to chroot to directory '/home/alex'
predator.adsl (192.168.1.5[192.168.1.5]) - Environment successfully chroot()ed.
predator.adsl (192.168.1.5[192.168.1.5]) - in dir_check_full(): path = '/', fullpath = '/home/alex/'.
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching POST_CMD command 'PASS (hidden)' to mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching POST_CMD command 'PASS (hidden)' to mod_ifsession
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching POST_CMD command 'PASS (hidden)' to mod_radius
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching POST_CMD command 'PASS (hidden)' to mod_quotatab
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching POST_CMD command 'PASS (hidden)' to mod_tls
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching POST_CMD command 'PASS (hidden)' to mod_cap
predator.adsl (192.168.1.5[192.168.1.5]) - mod_cap/1.0: capabilities '= cap_net_bind_service+ep'
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching POST_CMD command 'PASS (hidden)' to mod_readme
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching POST_CMD command 'PASS (hidden)' to mod_delay
predator.adsl (192.168.1.5[192.168.1.5]) - mod_delay/0.5: selecting median interval from 10 values
predator.adsl (192.168.1.5[192.168.1.5]) - mod_delay/0.5: delaying for 2730111 usecs
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching POST_CMD command 'PASS (hidden)' to mod_log
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching POST_CMD command 'PASS (hidden)' to mod_ls
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching POST_CMD command 'PASS (hidden)' to mod_auth
predator.adsl (192.168.1.5[192.168.1.5]) - unable to display DisplayLogin file 'welcome.msg': No such file or directory
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching LOG_CMD command 'PASS (hidden)' to mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching LOG_CMD command 'PASS (hidden)' to mod_log
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'PWD' to mod_rewrite
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'PWD' to mod_tls
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'PWD' to mod_core
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'PWD' to mod_core
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching CMD command 'PWD' to mod_core
predator.adsl (192.168.1.5[192.168.1.5]) - in dir_check_full(): path = '/', fullpath = '/home/alex/'.
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching POST_CMD command 'PWD' to mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching LOG_CMD command 'PWD' to mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching LOG_CMD command 'PWD' to mod_log
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'TYPE I' to mod_rewrite
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'TYPE I' to mod_tls
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'TYPE I' to mod_core
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'TYPE I' to mod_core
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching CMD command 'TYPE I' to mod_xfer
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching POST_CMD command 'TYPE I' to mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching LOG_CMD command 'TYPE I' to mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching LOG_CMD command 'TYPE I' to mod_log
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'PASV' to mod_rewrite
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'PASV' to mod_tls
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'PASV' to mod_core
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'PASV' to mod_core
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching CMD command 'PASV' to mod_core
predator.adsl (192.168.1.5[192.168.1.5]) - in dir_check_full(): path = '/', fullpath = '/home/alex/'.
predator.adsl (192.168.1.5[192.168.1.5]) - Entering Passive Mode (192,168,1,6,10,44).
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching POST_CMD command 'PASV' to mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching LOG_CMD command 'PASV' to mod_sql
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching LOG_CMD command 'PASV' to mod_log
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'LIST' to mod_rewrite
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'LIST' to mod_tls
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'LIST' to mod_core
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching PRE_CMD command 'LIST' to mod_core
predator.adsl (192.168.1.5[192.168.1.5]) - dispatching CMD command 'LIST' to mod_ls
and nothing happens next....
i had to shorten the output a bit

While in the client i get this:
Команда: PWD
Отговор: 257 "/" is current directory.
Команда: TYPE I
Отговор: 200 Type set to I
Команда: PASV
Отговор: 227 Entering Passive Mode (192,168,1,6,10,44).
Команда: LIST
And the connection times out

everything was OK, i havent altered the configuretion

Code:
 - ProFTPD Version: 1.3.0 (stable)
 -   Scoreboard Version: 01040002
 -   Built: Tue Nov 4 14:38:05 UTC 2008
 -     Module: mod_core.c
 -     Module: mod_xfer.c
 -     Module: mod_auth_unix.c
 -     Module: mod_auth_file.c
 -     Module: mod_auth.c
 -     Module: mod_ls.c
 -     Module: mod_log.c
 -     Module: mod_site.c
 -     Module: mod_delay/0.5
 -     Module: mod_dso/0.4
 -     Module: mod_auth_pam.c
 -     Module: mod_readme.c
 -     Module: mod_cap/1.0
 -     Module: mod_ctrls/0.9.4
Code:
Compiled-in modules:
  mod_core.c
  mod_xfer.c
  mod_auth_unix.c
  mod_auth_file.c
  mod_auth.c
  mod_ls.c
  mod_log.c
  mod_site.c
  mod_delay.c
  mod_dso.c
  mod_auth_pam.c
  mod_readme.c
  mod_cap.c
  mod_ctrls.c
its running as standalone
Here is my /etc/proftpd/proftpd.conf:

Code:
#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
# 

# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6				off

ServerName			"Debian"
ServerType			standalone
DeferWelcome			on

MultilineRFC2228		on
DefaultServer			on
ShowSymlinks			on

TimeoutNoTransfer		600
TimeoutStalled			600
TimeoutIdle			1200

DisplayLogin                    welcome.msg
DisplayFirstChdir               .message
ListOptions                	"-l"

DenyFilter			\*.*/


UseReverseDNS off
IdentLookups off


# Port 21 is the standard FTP port.
Port				21

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts                    49152 65534

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances			30

# Set the user and group that the server normally runs at.
User				proftpd
Group				nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask				022  022
# Normally, we want files to be overwriteable.
AllowOverwrite			on

# Uncomment this if you are using NIS or LDAP to retrieve passwords:
# PersistentPasswd		off

# Be warned: use of this directive impacts CPU average load!
#
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
# UseSendFile			off

TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log

<IfModule mod_tls.c>
TLSEngine off
</IfModule>

<IfModule mod_quota.c>
QuotaEngine on
</IfModule>

<IfModule mod_ratio.c>
Ratios on
</IfModule>


# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default. 
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine        on
ControlsMaxClients    2
ControlsLog           /var/log/proftpd/controls.log
ControlsInterval      5
ControlsSocket        /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine on
</IfModule>

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
#   User				ftp
#   Group				nogroup
#   # We want clients to be able to login with "anonymous" as well as "ftp"
#   UserAlias			anonymous ftp
#   # Cosmetic changes, all files belongs to ftp user
#   DirFakeUser	on ftp
#   DirFakeGroup on ftp
# 
#   RequireValidShell		off
# 
#   # Limit the maximum number of anonymous logins
#   MaxClients			10
# 
#   # We want 'welcome.msg' displayed at login, and '.message' displayed
#   # in each newly chdired directory.
#   DisplayLogin			welcome.msg
#   DisplayFirstChdir		.message
# 
#   # Limit WRITE everywhere in the anonymous chroot
#   <Directory *>
#     <Limit WRITE>
#       DenyAll
#     </Limit>
#   </Directory>
# 
#   # Uncomment this if you're brave.
#   # <Directory incoming>
#   #   # Umask 022 is a good standard umask to prevent new files and dirs
#   #   # (second parm) from being group and world writable.
#   #   Umask				022  022
#   #            <Limit READ WRITE>
#   #            DenyAll
#   #            </Limit>
#   #            <Limit STOR>
#   #            AllowAll
#   #            </Limit>
#   # </Directory>
# 
# </Anonymous>

DefaultRoot ~


# The passwords in MySQL are encrypted using CRYPT
SQLAuthTypes            Plaintext Crypt
SQLAuthenticate         users groups


# used to connect to the database
# databasename@host database_user user_password
SQLConnectInfo  ftp@localhost proftpd [hidden]


# Here we tell ProFTPd the names of the database columns in the "usertable"
# we want it to interact with. Match the names with those in the db
SQLUserInfo     ftpuser userid passwd uid gid homedir shell

# Here we tell ProFTPd the names of the database columns in the "grouptable"
# we want it to interact with. Again the names match with those in the db
SQLGroupInfo    ftpgroup groupname gid members

# set min UID and GID - otherwise these are 999 each
SQLMinID        500

# create a user's home directory on demand if it doesn't exist
SQLHomedirOnDemand on

# Update count every time user logs in
SQLLog PASS updatecount
SQLNamedQuery updatecount UPDATE "count=count+1, accessed=now() WHERE userid='%u'" ftpuser

# Update modified everytime user uploads or deletes a file
SQLLog  STOR,DELE modified
SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser

# User quotas
# ===========
QuotaEngine on
QuotaDirectoryTally on
QuotaDisplayUnits Mb
QuotaShowQuotas on

SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}' AND quota_type = '%{1}'"

SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ftpquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"

SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" ftpquotatallies

SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies

QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally

RootLogin off
RequireValidShell off

SQLNamedQuery gettally  SELECT "ROUND((bytes_in_used/1048576),2) FROM ftpquotatallies WHERE name='%u'"
SQLNamedQuery getlimit  SELECT "ROUND((bytes_in_avail/1048576),2) FROM ftpquotalimits WHERE name='%u'"
SQLNamedQuery getfree   SELECT "ROUND(((ftpquotalimits.bytes_in_avail-ftpquotatallies.bytes_in_used)/1048576),2) FROM ftpquotalimits,ftpquotatallies WHERE ftpquotalimits.name = '%u' AND ftpquotatallies.name = '%u'"

SQLShowInfo   LIST    "226" "Used %{gettally}MB from %{getlimit}MB. You have %{getfree}MB available space."
Do i need to give any more information?
I am really stunned

Thank you
 
Old 05-16-2009, 04:20 PM   #2
alex95_bg
LQ Newbie
 
Registered: Feb 2009
Location: Bulgaria
Distribution: Fedora 10 x86_64
Posts: 3

Original Poster
Rep: Reputation: 0
i cant post the code in the other post but i recently adden an iptables script
thet was the first reboot since it was added
here it is:

Code:
    #!/bin/sh
    #------------------------------------------------------------------------------
    # File: fw_laptop
    # Author: Uwe Hermann <uwe@hermann-uwe.de>
    # URL: http://www.hermann-uwe.de/files/fw_laptop
    # License: GNU GPL (version 2, or any later version).
    # $Id: fw_laptop 529 2006-06-10 15:11:40Z uh1763 $
    #------------------------------------------------------------------------------

    # A firewall script intended to be used on workstations / laptops. It basically
    # blocks all incoming traffic and only allows minimal outgoing traffic.
    # It helps to mitigate certains attacks, misconfigurations of local daemons,
    # misbehaving local users or applications, and can prevent untrusted
    # applications from "phoning home", among other things.

    # Note: This is work in progress! Any comments and suggestions are welcome!

    # Thanks for comments and suggestions:
    #   * Jean Christophe André <jean-christophe.andre@auf.org>
    #   * Ryan Giobbi <rgiobbi@gmail.com>
    #   * Pascal Hambourg <pascal.mail@plouf.fr.eu.org>


    #------------------------------------------------------------------------------
    # Configuration.
    #------------------------------------------------------------------------------

    # For debugging use iptables -v.
    IPTABLES="/sbin/iptables"
    IP6TABLES="/sbin/ip6tables"
    MODPROBE="/sbin/modprobe"
    RMMOD="/sbin/rmmod"
    ARP="/usr/sbin/arp"

    # Logging options.
    # Note: We use --log-level debug, so that the messages are not output
    # to all virtual consoles (which would be quite annoying).
    # Alternative: Start klogd with -c 4 (e.g. by setting KLOGD="-c 4" in the
    # /etc/init.d/klogd startup-script.
    LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
    LOG="$LOG --log-ip-options"

    # Defaults for rate limiting (to prevent DoS attacks and excessive logging).
    # TODO: What is a good value for --limit and --limit-burst?
    # TODO: Test rate limiting.
    RLIMIT="-m limit --limit 3/s --limit-burst 8"

    # Unprivileged ports.
    PHIGH="1024:65535"

    # Common SSH source ports.
    PSSH="1000:1023"

    # Load required kernel modules (if automatic module loading is disabled).
    $MODPROBE ip_conntrack_ftp
    $MODPROBE ip_conntrack_irc


    #------------------------------------------------------------------------------
    # Mitigate ARP spoofing/poisoning and similar attacks.
    # For details see:
    #   * http://en.wikipedia.org/wiki/ARP_spoofing
    #   * http://www.grc.com/nat/arp.htm
    #------------------------------------------------------------------------------

    # Hardcode static ARP cache entries here (e.g. for the network gateway).
    # $ARP -s IP-ADDRESS MAC-ADDRESS


    #------------------------------------------------------------------------------
    # Kernel configuration.
    # For details see:
    #   * http://www.securityfocus.com/infocus/1711
    #   * http://www.linuxgazette.com/issue77/lechnyr.html
    #   * http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
    #   * /usr/src/linux/Documentation/filesystems/proc.txt
    #   * /usr/src/linux/Documentation/networking/ip-sysctl.txt
    #------------------------------------------------------------------------------

    # Disable IP forwarding.
    # Note: We turn this on and off to reset all settings to their defaults.
    #echo 1 > /proc/sys/net/ipv4/ip_forward
    #echo 0 > /proc/sys/net/ipv4/ip_forward

    # Enable IP spoofing protection (i.e. source address verification).
    # Note: This is special, as it seems to only be enabled if you set
    # */all/rp_filter AND */eth0/rp_filter (for example) to 1! Setting only
    # */all/rp_filter alone does _not_ suffice, which is pretty counter-intuitive.
    for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done

    # Protect against SYN flood attacks (see http://cr.yp.to/syncookies.html).
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies

    # Ignore all incoming ICMP echo requests (i.e. disable ping).
    # Usually not a good idea, as some protocols and users need/want this.
    # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    #echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

    # Ignore ICMP echo requests to broadcast/multicast addresses. We do not
    # want to participate in smurf (and similar) DoS attacks.
    # For details see: http://en.wikipedia.org/wiki/Smurf_attack.
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    # Log packets with impossible addresses.
    for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done

    # Don't log invalid responses to broadcast frames, they just clutter the logs.
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

    # Don't accept or send ICMP redirects.
    for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
    for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done

    # Don't accept source routed packets.
    for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done

    # Disable multicast routing. Should not be needed, usually.
    # TODO: This throws an "Operation not permitted" error. Why?
    # for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done

    # Disable proxy_arp. Should not be needed, usually.
    for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done

    # Enable secure redirects, i.e. only accept ICMP redirects for gateways
    # listed in the default gateway list. Helps against MITM attacks.
    for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done

    # Disable bootp_relay. Should not be needed, usually.
    for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done

    # TODO: These may mitigate ARP poisoning attacks?
    # /proc/sys/net/ipv4/neigh/*/locktime
    # /proc/sys/net/ipv4/neigh/*/gc_stale_time

    # TODO: Check rest of /usr/src/linux/Documentation/networking/ip-sysctl.txt.
    # Are there any security-relevant options I missed? Check especially:
    # icmp_ratelimit, icmp_ratemask, icmp_errors_use_inbound_ifaddr, arp_*.


    #------------------------------------------------------------------------------
    # Default policies.
    #------------------------------------------------------------------------------

    # Drop everything by default.
    # Note: The default policies are set _before_ flushing the chains, to prevent
    # a short timespan between flushing the chains and setting policies where
    # any traffic would be allowed.
    $IPTABLES -P INPUT DROP
    $IPTABLES -P FORWARD DROP
    $IPTABLES -P OUTPUT DROP

    # Set the nat/mangle/raw tables' chains to ACCEPT (we don't use them).
    # Packets will simply pass through these tables unchanged.
    # TODO: What happens if the modules aren't loaded?
    $IPTABLES -t nat -P PREROUTING ACCEPT
    $IPTABLES -t nat -P OUTPUT ACCEPT
    $IPTABLES -t nat -P POSTROUTING ACCEPT

    $IPTABLES -t mangle -P PREROUTING ACCEPT
    $IPTABLES -t mangle -P INPUT ACCEPT
    $IPTABLES -t mangle -P FORWARD ACCEPT
    $IPTABLES -t mangle -P OUTPUT ACCEPT
    $IPTABLES -t mangle -P POSTROUTING ACCEPT

    # TODO: Correct? Remove this?
    $IPTABLES -t raw -P PREROUTING ACCEPT
    $IPTABLES -t raw -P OUTPUT ACCEPT


    #------------------------------------------------------------------------------
    # Cleanup.
    #------------------------------------------------------------------------------

    # Delete all rules.
    $IPTABLES -F
    $IPTABLES -t nat -F
    $IPTABLES -t mangle -F

    # Delete all (non-builtin) user-defined chains.
    $IPTABLES -X
    $IPTABLES -t nat -X
    $IPTABLES -t mangle -X

    # Zero all packet and byte counters.
    $IPTABLES -Z
    $IPTABLES -t nat -Z
    $IPTABLES -t mangle -Z


    #------------------------------------------------------------------------------
    # Completely disable IPv6.
    #------------------------------------------------------------------------------

    # Block all IPv6 traffic, otherwise the firewall might be circumvented by an
    # attacker who simply sends IPv6 traffic instead of IPv4 traffic.
    # Note: The safest way to prevent IPv6 traffic is to not enable support for
    # IPv6 in the kernel in the first place (neither built-in nor as a module).

    # If the ip6tables command is available, try to block all IPv6 traffic.
    if test -x $IP6TABLES; then
      # Set the default policies (drop everything).
      $IP6TABLES -P INPUT DROP 2>/dev/null
      $IP6TABLES -P FORWARD DROP 2>/dev/null
      $IP6TABLES -P OUTPUT DROP 2>/dev/null

      # The mangle table can pass everything through unaltered (we don't use it).
      $IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
      $IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
      $IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
      $IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
      $IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null

      # Delete all rules.
      $IP6TABLES -F 2>/dev/null
      $IP6TABLES -t mangle -F 2>/dev/null

      # Delete all (non-builtin) user-defined chains.
      $IP6TABLES -X 2>/dev/null
      $IP6TABLES -t mangle -X 2>/dev/null

      # Zero all packet and byte counters.
      $IP6TABLES -Z 2>/dev/null
      $IP6TABLES -t mangle -Z 2>/dev/null
    fi


    #------------------------------------------------------------------------------
    # Custom user-defined chains.
    #------------------------------------------------------------------------------

    # LOG packets, then ACCEPT them.
    $IPTABLES -N ACCEPTLOG
    $IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT "
    $IPTABLES -A ACCEPTLOG -j ACCEPT

    # LOG packets, then DROP them.
    $IPTABLES -N DROPLOG
    $IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP "
    #$IPTABLES -A DROPLOG -j DROP

    # LOG packets, then REJECT them. TCP packets are rejected with a TCP reset.
    $IPTABLES -N REJECTLOG
    $IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "
    $IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
    $IPTABLES -A REJECTLOG -j REJECT

    # A custom chain which only allows minimal (RELATED) ICMP types
    # (destination-unreachable, time-exceeded, and parameter-problem).
    # TODO: Rate-limit this traffic?
    # TODO: Allow fragmentation-needed?
    # TODO: Test.
    $IPTABLES -N RELATED_ICMP
    $IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
    $IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
    $IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
    #$IPTABLES -A RELATED_ICMP -j DROPLOG


    #------------------------------------------------------------------------------
    # Only allow the minimally required/recommended parts of ICMP. Block the rest.
    # For details see:
    #   * http://tools.ietf.org/html/792
    #   * http://tools.ietf.org/html/1122
    #   * http://www.iana.org/assignments/icmp-parameters
    #   * http://www.daemon.be/maarten/icmpfilter.html
    #------------------------------------------------------------------------------

    # Note: Be careful if you're using kernels older than 2.4.29. Some locally
    # generated ICMP error types (going through OUTPUT) are erroneously tagged
    # as INVALID (instead of RELATED).
    # Details: http://lists.debian.org/debian-firewall/2006/05/msg00051.html.

    # TODO: This section needs a lot of testing!

    # First, drop all fragmented ICMP packets (almost always malicious).
    $IPTABLES -A INPUT -p icmp --fragment -j DROPLOG
    $IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG
    $IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG

    # Allow all ESTABLISHED ICMP traffic.
    # TODO: Tighten this some more?
    $IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
    $IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT

    # Allow some parts of the RELATED ICMP traffic, block the rest.
    # TODO: FORWARD?
    $IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
    $IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT

    # Allow incoming ICMP echo requests (ping), but only rate-limited.
    $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT

    # Allow outgoing ICMP echo requests (ping), but only rate-limited.
    # TODO: Really do rate limiting here?
    #$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT

    # Drop any other ICMP traffic.
    $IPTABLES -A INPUT -p icmp -j DROPLOG
    $IPTABLES -A OUTPUT -p icmp -j DROPLOG
    $IPTABLES -A FORWARD -p icmp -j DROPLOG


    #------------------------------------------------------------------------------
    # Selectively allow certain special types of traffic.
    #------------------------------------------------------------------------------

    # Allow all incoming and outgoing connections on the loopback interface.
    $IPTABLES -A INPUT -i lo -j ACCEPT
    $IPTABLES -A OUTPUT -o lo -j ACCEPT

    # Allow incoming connections related to existing allowed connections.
    $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Allow outgoing connections related to existing allowed connections.
    $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Uncomment this (and comment the above line) to allow all outgoing
    # connections (except for INVALID ones).
    $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

    # TODO: Read Securing Debian Manual's "Disabling weak-end hosts issues".
    # For details see:
    #   * http://www.debian.org/doc/manuals/securing-debian-howto/
    #   * ftp://ftp.isi.edu/in-notes/rfc1122.txt

    # TODO: Split the ESTABLISHED,RELATED rules by state, protocol, type?


    #------------------------------------------------------------------------------
    # Miscellaneous.
    #------------------------------------------------------------------------------

    # Drop SMB/CIFS, and related Windows traffic without logging. We don't care.
    # TODO: I think not all of these use TCP _and_ UDP. Tighten the rules!
    $IPTABLES -A INPUT -p tcp -m multiport \
              --dports 135,137,138,139,445,1433,1434 -j DROP
    $IPTABLES -A INPUT -p udp -m multiport \
              --dports 135,137,138,139,445,1433,1434 -j DROP

    # Explicitly drop invalid incoming traffic (use DROPLOG if you want logging).
    $IPTABLES -A INPUT -m state --state INVALID -j DROP

    # Drop invalid outgoing traffic, too.
    # Note: This may prevent you from performing certain scans. Also, see above
    # comment about ICMP packets being erroneously marked as INVALID instead of
    # RELATED in kernels older than 2.4.29. Remove this rule if needed.
    $IPTABLES -A OUTPUT -m state --state INVALID -j DROP

    # This is not needed, as we use policy DROP for FORWARD, and we disabled
    # ip_forward anyways. However, if we would use NAT, INVALID packets would
    # bypass our rules, so we block them explicitly here, just in case.
    $IPTABLES -A FORWARD -m state --state INVALID -j DROP

    # Hinder portscanners a bit.
    $IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
    $IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP

    # TODO: Some more anti-spoofing rules? For example:
    # TODO: Test.
    $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
    $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

    # TODO: Block known-bad IPs (see http://www.dshield.org/top10.php).
    # $IPTABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG


   
    #------------------------------------------------------------------------------
    # Selectively allow certain outbound connections, block the rest.
    # TODO: This could be tightened a bit more (limit source/dest port ranges).
    #------------------------------------------------------------------------------

    # Allow outgoing DNS requests. Few things will work without this.
    $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

    # Allow outgoing HTTP requests. Unencrypted, use with care.
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

    # Allow outgoing HTTPS requests.
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

    # Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP!
    # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT

    # Allow outgoing "submission" requests.
    # Submission (RFC 2476) is used for sending email, and uses port 587.
    # This can be encrypted or unencrypted, depending on the server (I think).
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT

    # Allow outgoing POP3S requests. Do NOT allow unencrypted POP3!
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT

    # Allow outgoing SSH requests.
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT

    # Allow outgoing FTP requests. Unencrypted, use with care.
    # Note: This usually needs the ip_conntrack_ftp kernel module.
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

    # Allow outgoing NNTP requests. Unencrypted, use with care.
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT

    # Allow outgoing NTP requests. Unencrypted, use with care.
    $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT

    # Allow outgoing IRC requests. Unencrypted, use with care.
    # Note: This usually needs the ip_conntrack_irc kernel module.
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT
    # Allow outgoing requests to various proxies. Unencrypted, use with care.
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8090 -j ACCEPT

    # Allow outgoing DHCP requests. Unencrypted, use with care.
    # TODO: This is completely untested, I have no idea whether it works!
    # TODO: I think this can be tightened a bit more.
    $IPTABLES -A OUTPUT -m state --state NEW -p udp \
              --sport 67:68 --dport 67:68 -j ACCEPT

    # Allow outgoing CVS requests. Unencrypted, use with care.
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 2401 -j ACCEPT

    # Allow outgoing SVN requests. Unencrypted, use with care.
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3690 -j ACCEPT

    # Allow outgoing Tor (http://tor.eff.org) requests.
    # Note: Do _not_ use unencrypted protocols over Tor (sniffing is possible)!
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9001 -j ACCEPT
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9002 -j ACCEPT
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9030 -j ACCEPT
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9031 -j ACCEPT
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9091 -j ACCEPT

    # Allow outgoing Bacula (http://www.bacula.org) requests.
    # Unencrypted (usually), use with care.
    # Ports: Console -> DIR:9101, DIR -> SD:9103, DIR -> FD:9102, FD -> SD:9103
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9101 -j ACCEPT
    # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9103 -j ACCEPT
    # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9102:9103 -j ACCEPT

    # Allow outgoing OpenVPN requests.
    $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT

    # TODO: ICQ, ...


    #------------------------------------------------------------------------------
    # Selectively allow certain inbound connections, block the rest.
    # TODO: This could be tightened a bit more (limit source/dest port ranges).
    #------------------------------------------------------------------------------

    # Allow incoming DNS requests.
    $IPTABLES -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
    $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

    # Allow incoming HTTP requests.
    $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

    # Allow incoming HTTPS requests.
    $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

    # Allow incoming POP3 requests.
    $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT

    # Allow incoming POP3S requests.
    $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT

    # Allow incoming SMTP requests.
    $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT

    # Allow incoming SSH requests.
    $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 2122 -j ACCEPT

    # Allow incoming FTP requests.
    $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

#allow ssh
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT

    # Allow incoming NNTP requests.
    $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT

    # Allow incoming BitTorrent requests.
    # TODO: Are these already handled by ACCEPTing established/related traffic?
    $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 6881 -j ACCEPT
    $IPTABLES -A INPUT -m state --state NEW -p udp --dport 6881 -j ACCEPT

    # Allow incoming nc requests.
    $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 2030 -j ACCEPT
    $IPTABLES -A INPUT -m state --state NEW -p udp --dport 2030 -j ACCEPT

    # Allow incoming Bacula (http://www.bacula.org) requests.
    # Ports: Console -> DIR:9101, DIR -> SD:9103, DIR -> FD:9102, FD -> SD:9103
    $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 9102 -j ACCEPT
    $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 9101:9103 -j ACCEPT


    #------------------------------------------------------------------------------
    # Explicitly log and reject everything else.
    #------------------------------------------------------------------------------

    # Use REJECT instead of REJECTLOG if you don't need/want logging.
    $IPTABLES -A INPUT -j REJECTLOG
    $IPTABLES -A OUTPUT -j REJECTLOG
    $IPTABLES -A FORWARD -j REJECTLOG


    #------------------------------------------------------------------------------
    # Testing the firewall.
    #------------------------------------------------------------------------------

    # You should check/test that the firewall really works, using for example
    # iptables -vnL, nmap, ping, telnet, ...


    #------------------------------------------------------------------------------
    # Exit gracefully.
    #------------------------------------------------------------------------------

    exit 0
i have edited it to allow certain ports and stuff
i dont know how passive mode works
is it possible that iptables is the problem?


EDIT!
Solved, iptables was the problem
Last edited by alex95_bg; 05-16-2009 at 04:23 PM. Reason: typo
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
proftpd hangs at "LIST -al" anwar Linux - Server 6 03-30-2007 11:12 AM
proftpd "dir" command hangs annamonster Linux - Networking 2 08-28-2006 02:29 PM
proftpd hangs bosewicht Linux - Newbie 1 05-25-2004 12:14 PM
Proftpd listing hangs Kostko Linux - Networking 3 02-01-2004 12:01 PM
proftpd directories list bacon22 Linux - Networking 2 01-21-2004 09:49 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 05:21 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration