Hi Dan, (and others) A power-user tidbit, when performing a "Restart Firewall" from the web interface or from the CLI ... -- arno-iptables-firewall restart -- the current active netfilter conntrack states are maintained throughout, a very desirable feature, as such it causes minimal network disruption to users during the process.
In rare situations, particularly when changing firewall rules it may be possible a previous existing conntrack state may temporally short-circuit the firewall rule change. BTW, not particularly unique to AstLinux, I've seen this behavior in other products as well. If this situation has you scratching your head, you can either reboot the box or from the command line ... -- arno-iptables-firewall stop arno-iptables-firewall start -- in either case the netfilter conntrack states will be flushed. Again this is a rare situation, probably occurs more often in the lab testing, but may have occurred in your situation. Lonnie On Jul 28, 2017, at 9:22 AM, d...@ryson.org wrote: > Good morning Lonnie and all, > > Let's write this one off to pilot error. I'm baffled why it didn't work > yesterday but works today. But we'll take it. > > Sorry for the mis-fire. Thanks for the help! > > Take care, > > Dan > > -----Original Message----- > From: "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> > Sent: Friday, July 28, 2017 8:23am > To: "AstLinux Users Mailing List" <astlinux-users@lists.sourceforge.net> > Subject: Re: [Astlinux-users] Port Forwarding FTP > > Hi Dan, > In the lab, I just tested using the following firewall rule: > <2BF6853C-182A-4AEC-BB19-B57206F54325.png> > It worked as expected. > If it is possible to restrict the allowed source address (other than 0/0) > that would be good. > Lonnie > > On Jul 28, 2017, at 5:32 AM, d...@ryson.org wrote: > > Hi Lonnie, > > Thanks for the prompt reply and detailed insight. We'll circle back with > feedback on our findings, as requested. > > For what it's worth, we've had similar discussions with this client about > reliance on FTP. They're slowly replacing it with secure protocols but > progress is slow. > > Dan > > -----Original Message----- > From: "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> > Sent: Thursday, July 27, 2017 9:27pm > To: "AstLinux Users Mailing List" <astlinux-users@lists.sourceforge.net> > Subject: Re: [Astlinux-users] Port Forwarding FTP > > Hi Dan, > > My first thought is *don't do that* :-) The FTP credentials are not > encrypted, easily captured, etc. . Using FTP over a VPN (OpenVPN), or use > SFTP (TCP 22) would be much better choices. > > If you really, really must allow FTP inbound on the external interface when > AstLinux is a NAT firewall you must use "NAT EXT->LAN" of TCP 21 to your > internal FTP server. The Linux kernel will automatically apply the FTP helper > to track the TCP 20 data channel, so only NAT-forward TCP 21 . > > Be sure to remove any "Pass EXT->LAN" TCP 21 rules. > > Note that "Pass EXT->LAN" is for non-NAT'ed situations when the networks are > routed, not NAT'ed. For example with IPv6 you would use "Pass EXT->LAN". For > NAT'ed situations with IPv4 use "NAT EXT->LAN". > > Note that with "NAT EXT->LAN" you could make the public TCP port non-standard > and forward to the standard TCP 21 internally. I've never tried this, as the > FTP helper has to cooperate, so this may or may not work, also depends on the > FTP client. > > Let us know how it goes. > > Lonnie > > > > On Jul 27, 2017, at 7:44 PM, d...@ryson.org wrote: > > > All, > > > > I just helped a friend reconfigure an AstLinux installation. Until today, > > it had been behind a NAT'd router/firewall. This afternoon, we added a NIC > > card and promoted AstLinux to replace the router/firewall. > > > > All the complicated bits worked fine. However, testing revealed that a > > simple port forwarding to an internal FTP server (port 21) isn't working. > > The FTP server is working from within the LAN but we can't access it from > > the Internet. We enabled EXT=>LAN using the web interface and we can see > > the rule in iptables but it doesn't seem to work. > > > > I'd appreciate any troubleshooting suggestions. > > > > Thanks, > > > > Dan > > > <2BF6853C-182A-4AEC-BB19-B57206F54325.png>------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! > http://sdm.link/slashdot_______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
