Hi all. Time for me to de-lurk. Couldn't find anything on this on the
web, this list's archives or any of my reference manuals.
Some of my clients are unable to FTP to our server. They can log in,
change directories and read directory listings all right. But cannot
put files. When they try to, something weird happens:
Packet log: INlog REJECT eth0 PROTO=6 193.172.234.241:65535 194.109.214.3:65535 L=52
S=0x10 I=56606 F=0x00B5 T=114 (#1)
I have two questions about this:
1. Where do those :65535 -> :65535 packets come from?
I see no reason to expect them in a normal FTP dialog. They occur both
in active and in passive mode (and were not mentioned in the ftp
control dialogs, I had a tail on the ftp log). But they *did not*
occur when the client switched to another dial-in provider and tried
again! So it seems to be some artifact of the dial-in ISP's network,
not of the FTP client software. My log files show, several ISPs cause
these :65535->:65535 blocks. Does anybody have experience with a
proxying setup that can cause these packets?
2. Why does ipchains block these packets?
Setting aside that these packets should not exist; my firewall is
configured such that if they *do* occur, they should be accepted. The
last five lines of my input chain are:
ACCEPT tcp -y--l- 0xFF 0x00 eth0 0.0.0.0/0 194.109.214.0/241024:65535 -> 1024:65535
ACCEPT tcp -y--l- 0xFF 0x00 eth0 0.0.0.0/0 194.109.206.154 1024:65535 -> 1024:65535
ACCEPT tcp !y---- 0xFF 0x00 eth0 0.0.0.0/0 194.109.214.0/24 1024:65535 ->
1024:65535
ACCEPT tcp !y---- 0xFF 0x00 eth0 0.0.0.0/0 194.109.206.154 1024:65535 -> 1024:65535
INlog all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
That these packets fall through to the final reject-logging chain
would seem to imply anomalous behavior of ipchains, does it not?
Of course, the fact that port 65535 is the highest port number
possible is strange by itself already.
So I have a problem because some packets that shouldn't exist, ought
not to be blocked :-(. Please tell me the big and obvious thing that
I'm missing here.....
:*CU#
--
*** Guido A.J. Stevens *** mailto:[EMAIL PROTECTED] ***
*** Net Facilities Group *** tel:+31.43.3618933 ***
*** Postbus 1143 *** fax:+31.43.3561655 ***
*** 6201 BC Maastricht *** http://www.nfg.nl ***
Time does not flow. Other times are just special cases of other
universes.
[Deutsch, ISBN 0-14-014690-3, p. 288]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
