[Firehol-support] RST, ACK, SYN, FTP
Costa Tsaousis
costa at tsaousis.gr
Sat Apr 22 13:21:34 CEST 2006
Hi Jernej,
Have you compiled the iptables conntrack FTP modules in the kernel?
Without them, it is impossible to allow these packets.
Costa
jernejp at cs.waikato.ac.nz wrote:
> Hello!
>
> Maybe lame question. Why does firehol blocks this packets when I log on to
> remote FTP (succesful logon) and try list (passive or active)?
>
> I have lots of entries on client side:
> IN-interNet:IN=eth0 OUT= MAC=00:30:48:71:1c:4a:00:0d:ed:9b:e2:bf:08:00
> SRC=x.x.x.34 DST=x.x.x.122 LEN=124 TOS=0x00 PREC=0x00 TTL=57 ID=39074 DF
> PROTO=TCP SPT=21 DPT=32800 WINDOW=1448 RES=0x00 ACK PSH URGP=0
>
> and on server side:
> OUT-interNet:IN= OUT=eth0 SRC=x.x.x.34 DST=x.x.x.122 LEN=60 TOS=0x00
> PREC=0x00 TTL=64 ID=54491 DF PROTO=TCP SPT=20 DPT=34972 WINDOW=5840
> RES=0x00 SYN URGP=0
>
> config should allow any FTP connection (server/client). All possible
> trackings are included in kernel, so I dont know where is the catch?
> Modules are disabled, because I dont allow any modules on the machine at
> all, so FIREHOL_SKIP_MODULES is on.
>
> So how can allow this packets to come through? I turned off all the
> protection (protection), I only have my firewall rules in (server ftp
> accept, client ftp accept).
>
> Thanks in advance, Jernej
> BTW: otherwise Firehol is awesome
>
>
>
>
>
>
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>
More information about the Firehol-support
mailing list