/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Right. But this is, at least in my case, is what I am trying to do. I have
masq'ed clients that are trying to ftp to other sites and they cannot get a data
connection (depsite having the module loaded on the firewall) without opening up
port 20 via IPCHAINS.
Dan
Charles Shoemaker wrote:
>
> The ip_masq_ftp modules is just for masquerade clients, like the
> other machines on your internal network. I ran into this recently,
> where the internal machines could do ftp just fine, but trying ftp
> from the linux firewall machine failed.
>
> The solution is to open tcp port 20, ftp-data. I'd be curious to hear
> from others on the list: just how big a security problems is this?
> The security gurus would probably tell us, "don't do ftp from your
> firewall machine!"
>
> From: "Justin Ellison" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Subject: Re: [Masq] ip_masq_ftp module does not work
> Date sent: Thu, 21 Dec 2000 09:16:06 -0600
>
> > /* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
> > /* ALSO: Don't quote this header. It makes you look lame :-) */
> >
> >
> > Jan and Daniell,
> >
> > I've recently had this problem, and I too thought it was something with
> > ip_masq_ftp. However, it was the client that was causing the problem. I
> > was using ncftp to connect, which uses passive mode FTP by default. From an
> > ncftp prompt, type "set passive off" and try to do an ls. Or, do an ftp
> > session from the command prompt in windows.
> >
> > Justin
> > ----- Original Message -----
> > From: "Daniell Freed" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> > Sent: Thursday, December 21, 2000 8:43 AM
> > Subject: Re: [Masq] ip_masq_ftp module does not work
> >
> >
> > > /* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
> > > /* ALSO: Don't quote this header. It makes you look lame :-) */
> > >
> > >
> > > I too am having a similar problem. My ftp connection doesn't hang, but
> > > I do get the error "Data connection refused" or something of the sort.
> > > Basically, the syn packet is recieved one of my input rules ( ipchains -A
> > > input -p TCP -i $externalinterface -s 0/0 -d 0/0 -y -l -j REJECT) which
> > > bocks any connection requests (ie any SYN packets that are incoming) bocks
> > > the packet and logs the attempt. The only work around I currently have is
> > > to not include this rule in my firewall, but that isn't a very good option
> > > because now I don't get the extra security that this rule offers.
> > >
> > > Any help would be appreciated.
> > >
> > > Daniell Freed
> > >
> > >
> > > Jan Stifter wrote:
> > >
> > > > /* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
> > > > /* ALSO: Don't quote this header. It makes you look lame :-) */
> > > >
> > > > hello all,
> > > >
> > > > even though i modprobe the ip_masq_ftp module and lsmod shows me the
> > > > ip_masq_ftp module, i can not get a data channel to an ftp server. as
> > > > soon as i type ls, the connection hangs.
> > > >
> > > > my kernel is a clean 2.2.17, ip_masq_ftp.c shows
> > > > * Version: @(#)ip_masq_ftp.c 0.10 20/09/00
> > > >
> > > > (i have patched it, original module is 0.04)
> > > >
> > > > i have nothing wrong in the log. when i am trying to initiate a data
> > > > connection, the server sends me a SYN packet to a masqueraded port
> > > > somewhere around 62000, which gets REJECTED (because the ip_masq_ftp
> > > > module does not work, or because i am too stupid to make it work).
> > > >
> > > > any hints are greatly appreciated
> > > >
> > > > jan
> > > >
> > > > ---
> > > > Jan Stifter
> > > > http://www.medres.ch/~jstifter/
> > > >
> > > > _______________________________________________
> > > > Masq maillist - [EMAIL PROTECTED]
> > > > Admin requests can be handled at http://www.indyramp.com/masq-list/ --
> > > > THIS INCLUDES UNSUBSCRIBING!
> > > > or email to [EMAIL PROTECTED]
> > > >
> > > > PLEASE read the HOWTO and search the archives before posting.
> > > > You can start your search at http://www.indyramp.com/masq/
> > > > Please keep general linux/unix/pc/internet questions off the list.
> > >
> > > --
> > > Daniell Freed
> > > Computer Services
> > > Dewitt, Ross, & Stevens S.C.
> > >
> > > He who fights with monsters might take care
> > > lest he thereby become a monster.
> > > And if you gaze for long into an abyss,
> > > the abyss gazes also into you.
> > >
> > > Beyond Good and Evil
> > > Friedrich Wilhelm Nietzche
> > >
> > > _______________________________________________
> > > Masq maillist - [EMAIL PROTECTED]
> > > Admin requests can be handled at http://www.indyramp.com/masq-list/ --
> > > THIS INCLUDES UNSUBSCRIBING!
> > > or email to [EMAIL PROTECTED]
> > >
> > > PLEASE read the HOWTO and search the archives before posting.
> > > You can start your search at http://www.indyramp.com/masq/
> > > Please keep general linux/unix/pc/internet questions off the list.
> >
> > _______________________________________________
> > Masq maillist - [EMAIL PROTECTED]
> > Admin requests can be handled at http://www.indyramp.com/masq-list/ --
> > THIS INCLUDES UNSUBSCRIBING!
> > or email to [EMAIL PROTECTED]
> >
> > PLEASE read the HOWTO and search the archives before posting.
> > You can start your search at http://www.indyramp.com/masq/
> > Please keep general linux/unix/pc/internet questions off the list.
>
> _______________________________________________
> Masq maillist - [EMAIL PROTECTED]
> Admin requests can be handled at http://www.indyramp.com/masq-list/ --
> THIS INCLUDES UNSUBSCRIBING!
> or email to [EMAIL PROTECTED]
>
> PLEASE read the HOWTO and search the archives before posting.
> You can start your search at http://www.indyramp.com/masq/
> Please keep general linux/unix/pc/internet questions off the list.
--
Daniell Freed
Computer Services
Dewitt, Ross, & Stevens S.C.
He who fights with monsters might take care
lest he thereby become a monster.
And if you gaze for long into an abyss,
the abyss gazes also into you.
Beyond Good and Evil
Friedrich Wilhelm Nietzche
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
