Running Bering V1.0-rc2, I am unable to access the internal FTP servers with passive FTP. I can use command-line FTP, so I am puzzled.
Some details: _______________________________________________________ /etc/shorewall/ifaces: #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect routefilter,norfc1918 loc eth1 detect routestopped,multi /etc/shorewall/rules: ACCEPT loc:10.1.1.0/24 loc:10.1.1.1 tcp smtp - 216.236.142.81:10.1.1.1 ACCEPT loc:10.1.1.0/24 loc:10.1.1.252 tcp www,https - 216.236.142.82:10.1.1.1 ACCEPT loc:10.1.1.0/24 loc:10.1.1.253 tcp www,https - 216.236.142.83:10.1.1.1 ACCEPT loc:10.1.1.0/24 loc:10.1.1.254 tcp www,https - 216.236.142.84:10.1.1.1 ACCEPT loc:10.1.1.0/24 loc:10.1.1.63 tcp ftp - 216.236.142.85:10.1.1.1 ACCEPT net loc:10.1.1.1 tcp smtp,22,2023,ftp ACCEPT net loc:10.1.1.252 tcp www,https ACCEPT net loc:10.1.1.253 tcp www,https ACCEPT net loc:10.1.1.254 tcp www,https ACCEPT net loc:10.1.1.63 tcp ftp ACCEPT net fw tcp 80 ACCEPT net loc:10.1.1.1 tcp pop-3 /etc/shorewall/policy: #SOURCE DESTINATION POLICY LOG LEVEL loc net ACCEPT loc fw ACCEPT fw loc ACCEPT loc loc ACCEPT net all REJECT info all all REJECT info /etc/shorewall/nat: #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL 216.236.142.81 eth0 10.1.1.1 216.236.142.82 eth0 10.1.1.252 216.236.142.83 eth0 10.1.1.253 216.236.142.84 eth0 10.1.1.254 216.236.142.85 eth0 10.1.1.63 /etc/shorewall/masq eth0 10.1.1.0/24!10.1.1.252,10.1.1.253,10.1.1.254,10.1.1.1,10.1.1.63 # lsmod Module Pages Used by ip_nat_ftp 2672 0 (unused) ip_conntrack_ftp 2848 0 (unused) 3c59x 24504 2 ------------------------------------------------------- Now that (at the suggestion of various list members, incuding Mr. Eastep) I've changed the firewall posture from 'relaxed' to aggressive', I get hundreds of hits every day - but nothing when I ftp. So, I assume that the firewall is *not* blocking the data connection. (There *is* a incoming connection to port 21 shown, e.g., on the weblet, but no other connection.) Earlier suggestions that there might be a server-side problem are belied by the fact that two separate servers, one running Unix and the other NT, both ran properly with both the DSL router and the Cisco PIX that supplanted it. So, I am missing something. But what? BTW, I tried replacing ip_conntrack_ftp.o and ip_nat_ftp.o with newer versions from: http://leaf.sourceforge.net/devel/jnilo/bering/latest/modules/net/ipv4/netfilter/ and got only panics for my trouble. :-( -- _________________________________________ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
