Bug#563655: firehol: passive-ftp does not work

Mon, 04 Jan 2010 03:40:53 -0800 

Package: firehol
Version: 1.256-4
Severity: normal

*** Please type your report below this line ***


Hello,

I'm using firehol to protect a server. Today I encountered the problem that
passive-mode FTP didn't work. Tcpdump and syslog showed that the incoming data
connection's SYN packets were being blocked. I only got it to work after
applying the following patch:

--- firehol.old 2008-07-18 23:10:16.000000000 +0200
+++ firehol     2010-01-04 11:11:24.000000000 +0100
@@ -1480,7 +1480,7 @@
        # Passive FTP
        # accept high-ports related connections
        set_work_function "Setting up rules for Passive FTP ${type}"
-       rule ${in}          action "$@" chain "${in}_${mychain}"  proto tcp 
sport "${c_client_ports}" dport "${s_client_ports}" state ESTABLISHED,RELATED 
|| return 1
+       rule ${in}          action "$@" chain "${in}_${mychain}"  proto tcp 
sport "${c_client_ports}" dport "${s_client_ports}" state 
ESTABLISHED,RELATED,NEW || return 1
        rule ${out} reverse action "$@" chain "${out}_${mychain}" proto tcp 
sport "${c_client_ports}" dport "${s_client_ports}" state ESTABLISHED         
|| return 1
        
        require_kernel_module ip_conntrack_ftp


While you are looking into this problem, you might as well look into the
strange port range for FTP ports - the default being 32k:61000, and I don't
know how many FTP servers allow specifying the port range for passive mode
FTP. Mine does...


Kind regards,
--Toni++


-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'proposed-updates'), (450, 'testing'), 
(250, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-xen-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages firehol depends on:
ii  bash                          3.2-4      The GNU Bourne Again SHell
ii  iproute                       20080725-2 networking and traffic control too
ii  iptables                      1.4.2-6    administration tools for packet fi
ii  lsb-base                      3.2-20     Linux Standard Base 3.2 init scrip
ii  net-tools                     1.60-22    The NET-3 networking toolkit

Versions of packages firehol recommends:
ii  aggregate                1.6-4           ipv4 cidr prefix aggregator
ii  curl                     7.18.2-8lenny3  Get a file from an HTTP, HTTPS or 
ii  module-init-tools        3.4-1           tools for managing Linux kernel mo
ii  wget                     1.11.4-2+lenny1 retrieves files from the web

firehol suggests no packages.

-- no debconf information




-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to