Howdy folks, having a bit of trouble with my firewall/masq setup. I am
running it via an adsl hookup from bctel. I am using the ruleset from the
"Linux Network Toolkit" by Paul G. Sery
The problem is that passive ftp (as in via webbrowser) doesn't work, smtp,
pop3 and command line ftp from another linux box work fine. Even http
works fine, just pasv ftp is the problem.
System has 2 linux boxes that come b4 the attached windows boxes. The
firewall box (firewall router - FWR) is on its own subnet with the
external nic of the internal fileserver/router (FSR), the internal nic on
the FSR is connected to my private network of MS windows boxes
(95,98,NT).
The FWR is connected on its externel nic to adsl via dhcp.
So can anyone see anything wrong with the following ruleset that may be
causing the problem? I haven't had a chance to test out other protocols
yet (vdolive, cuseeme etc). The ruleset is direct from the book and the
only modification is that the on line 11, I have changed:
ISP_IP=`ifconfig ppp0 |grep 'inet addr'| awk '{print
to
ISP_IP=`ifconfig eth1 |grep 'inet addr'| awk '{print
TIA
P.S. trying to load the ip_masq_ftp module brings up some other probs
(info to follow in next message)
# Some definitions for easy maintenance.
# To obtain the dynamic PPP IP address, the output of
ifconfig is piped to
# grep which strips out all the lines except the one
containing the address
# and pipes it to awk which strips out the 2nd field
containing the address.
# The final step has sed eliminate the text string "addr:"
leaving just the
# IP address. There is probably a simpler way to do this but
it works for me.
ISP_IP=`ifconfig ppp0 |grep 'inet addr'| awk '{print
$2}'|sed -e "s/addr\://"`
echo $ISP_IP
# My fixed addresses
ME="192.168.32.1"
FIRE_NET="192.168.32.0/24"
PRIV_NET="192.168.1.0/24"
ALLIP="0.0.0.0/0"
HIPORTS="1024:65535"
# Clear out whatever rules are still set
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -f
# Start by completely denying any network access.
ipfwadm -I -p deny
ipfwadm -O -p deny
ipfwadm -F -p deny
# Deny spoofed packets.
ipfwadm -I -a deny -V $ISP_IP \
-S $FIRE_NET \
-D $ALLIP
ipfwadm -I -a deny -V $ISP_IP \
-S $ISP_IP \
-D $ALLIP
# Allow unlimited traffic within the local network
# (All all traffic on the ethernet interface - attached to
the
# Linux file/print server. This does not affect the behavior
of
# the PPP/Internet connection.)
#
ipfwadm -I -a accept -V $ME \
-S $ALLIP \
-D $ALLIP
ipfwadm -O -a accept -V $ME \
-S $ALLIP \
-D $ALLIP
# Allow outgoing TCP packets for the specified protocols
# I use duplicate rules for both the specific PPP IP address
(obtained
# from the first command line in this script) as well as the
firewall
# subnet. The first rule allows you to access the Internet
from the firewall
# network since outgoing packets use the PPP connection IP
as their source
# address (Note that this is superfluous if you follow the
instructions
# in chapter 11 that remove most network applications from
the firewall to
# increase security.) The second rule permits computers on
the firewall network
# and the private network to reach the Internet since they
arrive at the
# PPP interface with the source address of the Linux
file/print server which
# routes packets from the private network to the firewall
network and
# masquerades them.
ipfwadm -O -a accept -P tcp \
-S $FIRE_NET $HIPORTS \
-D $ALLIP pop-3 smtp ftp ftp-data www
telnet domain
ipfwadm -O -a accept -P tcp \
-S $ISP_IP $HIPORTS \
-D $ALLIP pop-3 smtp ftp ftp-data www
telnet domain
# Allow outgoing UDP packets for the specified protocols
(name service here).
ipfwadm -O -a accept -P udp \
-S $FIRE_NET $HIPORTS \
-D $ALLIP domain
ipfwadm -O -a accept -P udp \
-S $ISP_IP $HIPORTS \
-D $ALLIP domain
# Allow the return packets of sessions originating
internally for the
# specified protocols. The -k option allows only those
packets with their
# SYN bit set. When the SYN bit is set, it means that the
packet is being
# returned by a remote process after having originated
locally.
ipfwadm -I -a accept -k -P tcp \
-S $ALLIP pop-3 smtp ftp www telnet
domain \
-D $FIRE_NET $HIPORTS
ipfwadm -I -a accept -k -P tcp \
-S $ALLIP pop-3 smtp ftp www telnet
domain \
-D $ISP_IP $HIPORTS
# Allow the remote ftp server to initiate a connection back
to you. This
# happens when you issue an ftp command like "dir" or "get"
or "put", etc.
# Note that this is not necessary if you use the ftp
passive mode.
ipfwadm -I -a accept -P tcp \
-S $ALLIP ftp-data \
-D $FIRE_NET $HIPORTS
ipfwadm -I -a accept -P tcp \
-S $ALLIP ftp-data \
-D $ISP_IP $HIPORTS
#
ipfwadm -I -a accept -P udp \
-S $ALLIP domain \
-D $FIRE_NET $HIPORTS
ipfwadm -I -a accept -P udp \
-S $ALLIP domain \
-D $ISP_IP $HIPORTS
# Allow forwarding TCP packets from internal to external
network
#ipfwadm -F -a accept -P tcp \
# -S $FIRE_NET $HIPORTS \
# -D $ALLIP ftp ftp-data www telnet domain
#ipfwadm -F -a accept -P tcp \
# -S $ISP_IP $HIPORTS \
# -D $ALLIP ftp ftp-data www telnet domain
# Allow forwarding TCP packets from external to internal
network with SYN bit set
#ipfwadm -F -a accept -k -P tcp \
# -S $ALLIP ftp www telnet domain \
# -D $FIRE_NET $HIPORTS
#ipfwadm -F -a accept -k -P tcp \
# -S $ALLIP ftp www telnet domain \
# -D $ISP_IP $HIPORTS
# Allow ...
#ipfwadm -F -a accept -P tcp \
# -S $ALLIP ftp-data -D $FIRE_NET $HIPORTS
# ipfwadm -F -a accept -P udp \
#
# Set masquarading rules. (The second rule is necessary if
you do not
# set up masquerading on the router - in our case the Linux
file/print
# server - between the private and firewall networks. If
that is the
# case, you also have to add a route on the firewall server
to point
# back to the private network. For example:
# route add -net 192.168.1.0 gw 192.168.32.254
#
ipfwadm -F -a masquerade -S $FIRE_NET -D 0.0.0.0/0
# ipfwadm -F -a masquerade -S $ISP_IP -D 0.0.0.0/0
Harondel J. Sibble
Sibble Computer Consulting
Creating solutions for the small business and home computer user.
[EMAIL PROTECTED] (pgp enabled) http://www.pdscc.com
(604) 739-3709 (voice/fax) (604) 686-2253 (pager)
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
