/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
Anthony Rosso <[EMAIL PROTECTED]> wrote:
>
> New problem:
> Acess to ftp sites not allowed, from Netscape Browser
> or from ftp command line.
> Partial solution: (help needed)
> The following has allowed command line ftp access
> - ipchains -A good-bad -p tcp --dport ftp-data -j MASQ
> I still cannot access ftp site from Netscape browser (help please)
It sounds like you are denying most traffic, or rather, traffic to
anything but a few ports that you specify. You will find that ftp
traffic works badly with this setup.
Browsers will use PASV-mode ftp. That means that they ask the ftp
server to supply a port number to connect to, and then they try to
connect to it. The port number supplied by the server will be random.
So it is hard to construct a tight firewall that allows ftp traffic.
Furthermore, your rule that allows "--dport ftp-data" is a security
problem. It is not guaranteed that traffic with a source port of
ftp-data will be for FTP purposes. Someone could conceivably initiate
traffic using source-port 20, and a destination port of 23. Will that
open a telnet session on your firewall? Be careful...
Someone once posted a patch to the linux-kernel list. The patch would
watch FTP control-port traffic (in the ip_masq_ftp module, obviously),
and would insert firewall rules to enable the particular ports
negotiated by the client and server, for a specified time period.
That, to me, looks like the best option for creating a semi-stateful
firewall using IP Masq.
Unfortunately I have not tried the patch, because my security
requirements are not so strict, and I simply allow random connections to
high ports through my firewall.
> Diald won't connect when attempt is made to connect to the outside
> from my inside private network.
To the other list members: You should notice that he was reporting the
solution to this problem, not declaring it as an unsolved problem. :)
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Just about every computer on the market
sometimes known as David DeSimone || today runs Unix, except the Mac (and
http://www.dallas.net/~fox/ || nobody cares about it). -- Bill Joy '85
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES
UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
