On Fri, 2004-12-24 at 08:04 +1100, justin randell wrote: > hi all, > > since the network firewall was tightened where i work, i can't get > apt-get to work. > > i can't figure out why, because i thought apt-get used ftp and http, > and both of these are allowed through:
Looks like you are using acl's on a cisco router which is not really a firewall. This will allow you to establish a control chanel connection access-list 190 permit tcp 192.168.1.0 0.0.0.255 any eq ftp This will do nothing at all as you will never try to connect to ftp-data (20) The server will try to connect to you with a src port of 20 access-list 190 permit tcp 192.168.1.0 0.0.0.255 any eq ftp-data ftp is one of those unfortunate and ugly protocols like (portmap) that uses random ports. traditional ftp you -> (21) ftp server ftp requests a high tcp port from you and connects to you ie an inbound connection most acls will block this you( > 1023) <- (20) ftp server passive ftp you -> (21) ftp server ftp server tells you a high numbered tcp port to connect to you -> (>1023) ftp_server note that the connection on 21 is always up it is the control channel. So from your acls above for passive ftp to work you would need access-list 190 permit tcp 192.168.1.0 0.0.0.255 gt 1023 any gt 1023 which probably violates your policy Solution use http or get a stateful firewall that can create the required rules on the firewall. For ip tables use ftp_conntrack module One last thing if I gave out my companies access rules on a mailinglist I would be shot. just include the relevant lines next time. jimbob -- -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
