[Firehol-support] FTP rule problem (bug?)

Costa Tsaousis costa at tsaousis.gr
Mon Apr 25 08:38:00 BST 2005


Hi,

Don't drop ftp. Just don't say anything about it and it will be dropped
automatically without any side-effects to your other services.

Regards,

Costa


On Mon, April 25, 2005 4:00, Ian Duggan said:
>
> The FTP rules seem to be a bit too aggressive. I'm trying to block
> incoming
> FTP requests to a server, and it is having the effect of blocking a good
> amount of outbound traffic. Ie, I can't telnet to a mysql port from this
> machine when the rules are in place. Relevant firehol.conf:
>
> # DMZ rules
> interface eth+ dmz src "${dmz}"
>         policy return
>         protection strong
>
>         server ssh        accept
>         server dns        accept
>         server http       accept
>         server https      accept
>         server smtp       accept
>         server icmp       accept
>         server zopehttp   accept
>         server nfs        accept
>         server portmap    accept
>         server ftp        drop
>
>         client all accept
>
>         server ident reject with tcp-reset
>
>
> This set of definitions produces the following iptables setup which
> appears to
> be faulty. The problem seems to be the last item in the out_dmz_ftp_s10
> chain, which causes a large swath of traffic types to be dropped. It is
> appearing before the out_dmz_ftp_c13 chain which looks like it would
> alleviate this effect.
>
> Chain out_dmz (1 references)
>  pkts bytes target     prot opt in     out     source          destination
>     1    60 out_dmz_ssh_s1  all  --  *      *    0.0.0.0/0       0.0.0.0/0
>     1    60 out_dmz_dns_s2  all  --  *      *    0.0.0.0/0       0.0.0.0/0
>     1    60 out_dmz_http_s3  all  --  *      *    0.0.0.0/0
> 0.0.0.0/0
>     1    60 out_dmz_https_s4  all  --  *      *    0.0.0.0/0
> 0.0.0.0/0
>     1    60 out_dmz_smtp_s5  all  --  *      *    0.0.0.0/0
> 0.0.0.0/0
>     1    60 out_dmz_icmp_s6  all  --  *      *    0.0.0.0/0
> 0.0.0.0/0
>     1    60 out_dmz_zopehttp_s7  all  --  *      *    0.0.0.0/0
> 0.0.0.0/0
>     1    60 out_dmz_nfs_s8  all  --  *      *    0.0.0.0/0       0.0.0.0/0
>     1    60 out_dmz_portmap_s9  all  --  *      *    0.0.0.0/0
> 0.0.0.0/0
>     1    60 out_dmz_ftp_s10  all  --  *      *    0.0.0.0/0
> 0.0.0.0/0
>     1    60 out_dmz_all_c11  all  --  *      *    0.0.0.0/0
> 0.0.0.0/0
>     0     0 out_dmz_irc_c12  all  --  *      *    0.0.0.0/0
> 0.0.0.0/0
>     0     0 out_dmz_ftp_c13  all  --  *      *    0.0.0.0/0
> 0.0.0.0/0
>     0     0 out_dmz_ident_s14  all  --  *      *    0.0.0.0/0
> 0.0.0.0/0
>
> Chain out_dmz_all_c11 (1 references)
>  pkts bytes target     prot opt in     out     source     destination
>     1    60 ACCEPT     all  --  *      *       0.0.0.0/0  0.0.0.0/0
> state
> NEW,ESTABLISHED
>
> Chain out_dmz_ftp_c13 (1 references)
>  pkts bytes target     prot opt in     out     source     destination
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0  0.0.0.0/0   tcp
> spts:32768:61000 dpt:21 state NEW,ESTABLISHED
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0  0.0.0.0/0   tcp
> spts:32768:61000 dpt:20 state ESTABLISHED
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0  0.0.0.0/0   tcp
> spts:32768:61000 dpts:1024:65535 state RELATED,ESTABLISHED
>
> Chain out_dmz_ftp_s10 (1 references)
>  pkts bytes target     prot opt in     out     source     destination
>     0     0 DROP       tcp  --  *      *       0.0.0.0/0  0.0.0.0/0   tcp
> spt:21 dpts:1024:65535 state ESTABLISHED
>     0     0 DROP       tcp  --  *      *       0.0.0.0/0  0.0.0.0/0   tcp
> spt:20 dpts:1024:65535 state RELATED,ESTABLISHED
>     0     0 DROP       tcp  --  *      *       0.0.0.0/0  0.0.0.0/0   tcp
> spts:32768:61000 dpts:1024:65535 state ESTABLISHED
>
> I am going to work around this by moving my client definitions higher up
> in
> the chain, but this looks like it might be a bug.
>
> --Ian
>
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>





More information about the Firehol-support mailing list