On 28 Jan 99, at 22:28, Tim Fletcher wrote about
"Re: [masq] FTP and firewalls":
| > But this chnage won't help a masqueraded client, because there is no
| > way to get the packet forwarded to the internal IP. So you seem to
| > be talking about running the FTP client on the masquerading box
| > itself? If so, masqerading doesn't enter into it.
|
| Oh it does....
|
| I run on the ipmasqed firewall:
The firewall machine is not masqed, it is the masqER.
| /sbin/ipchains -D input -j ACCEPT -p tcp -y -s 0.0.0.0/0 20 -d myip 60000:65535
| and then I can ls a dir on sunsite
Running ftp client on some machine whose IP is *not* "myip"?
Assuming so...
| I then run:
| /sbin/ipchains -I input -j ACCEPT -p tcp -y -s 0.0.0.0/0 20 -d myip 60000:65535
| and I can't ls a dir on sunsite
|...
Well, of course for masquerading to work at all, the firewall must
accept incoming packets for (at least) the range of ports used by
masqerading. If replies to masqueraded outgoing packets are not
accepted, they can't be demasqueraded/forwarded.
Since merely adding this accept rule allows ftp PORT commands to
work, you must be running the ip_masq_ftp module. But the fact that
you *need* to add it is surprising. I would have thought some other
less specific input rule would have accepted these packets.
|...
- Fred Viles <mailto:[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
