/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Jan Stifter wrote:
> even though i modprobe the ip_masq_ftp module and lsmod shows me the
> ip_masq_ftp module, i can not get a data channel to an ftp server. as
> soon as i type ls, the connection hangs.
>
> my kernel is a clean 2.2.17, ip_masq_ftp.c shows
> * Version: @(#)ip_masq_ftp.c 0.10 20/09/00
>
> (i have patched it, original module is 0.04)
>
> i have nothing wrong in the log. when i am trying to initiate a data
> connection, the server sends me a SYN packet to a masqueraded port
> somewhere around 62000, which gets REJECTED (because the ip_masq_ftp
> module does not work, or because i am too stupid to make it work).
the packet isn't being rejected because ip_masq_ftp doesn't work.
it's because your packet filtering doesn't allow the packet. the
module never gets to see the packet so it doesn't get a chance to
work.
note that when masquerading, the ports 61000-65096 are used for
masqueraded connections. if your rules don't allow packets using
these port numbers, then masquerading doesn't work (in the 2.2 kernels).
also note: don't allow outgoing active ftp and don't allow incoming
passive ftp. either of these require you to allow any external host
to initiate connections to just about any port. this means you don't
have a firewall.
all ftp clients should use passive ftp so that both the command and
data channels are initiated by the internal ftp client (not the external
ftp server).
all ftp servers should live on victim hosts outside the firewall since
they cannot be secured.
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
