On Wednesday 18 June 2003 18:01, Jason Joines wrote: > I inherited (old admin left, boss said "this is yours") a RH 6.2 > server that runs a web application via apache and mysql. It generates a > link that points to an ftp URL to retrieve spreadsheets. The URL is > something like ftp://user:[EMAIL PROTECTED]/filename.xls. I had put up an > ipchains firewall on the box and opened port 21, expecting that I might > also have to open port 20. I tested by retrieving a file via ftp from > the command line on my SuSE desktop system. > Then I got reports that the users couldn't retrieve the files. The > logs showed rejections from the user's machines to a variety of > arbitrary high tcp ports. The were not replies but initiated > connections as I have allowed replies via: > > $ipchains -A input -s $anyhost -d $thishost 1024:65535 -p tcp -i eth0 ! > -y -j ACCEPT > > The users have IE x.x on win2k. I had one of them try to retrieve a > file via the win2k command line and that worked just fine. So, I tried > Mozilla 1.4rc1 on my SuSE box. Then I had the same problem as the users > and the log showed rejections from my box to arbitrary high tcp ports on > the server. > > It looks like the ftp in the browser's is doing something odd. The > server is running wu-ftpd 2.60. >
I'm no ftp expert but I do know that once a connection is made for passing data (i.e. once a GET is issued) that the connection will be on an 'arbitrary high port'. I would also guess there is something wrong with the way your ipchains wall is set up because this should not be a problem to a properly set up wall. (read: at least it was never a problem for me when I used to run ipchains and I was a linux newbie at the time). I am not sure if ftp sets up on outgoing connection on that high port first, in which case the firewall would know that the incoming is good stuff.. but that's probably the way it works. You should *not* have to open all the high ports. > Any ideas? > > Thanks, > > Jason Joines > =========== > > _______________________________________________ > Linux-users mailing list > [EMAIL PROTECTED] > Unsubscribe/Suspend/Etc -> > http://www.linux-sxs.org/mailman/listinfo/linux-users _______________________________________________ Linux-users mailing list [EMAIL PROTECTED] Unsubscribe/Suspend/Etc -> http://www.linux-sxs.org/mailman/listinfo/linux-users
