On Fri, 16 Nov 2001, Gerald Timothy Quimpo wrote: > At 01:32 AM 11/17/01, Pong wrote: > > >if they allow you to connect to port 21 (the ftp control port), > >there's no reason to block you from downloading from the data port. > >simply put, something is blocking your access to the ftp data port that's > >why it times out. try forcing a passive mode ftp data connection > >by typing 'passive' repeatedly until the ftp session toggles it to > >'Passive mode on' > > > >ftp> passive > >Passive mode off. > >ftp> passive > >Passive mode on. > > > >once it's in passive mode, then do an 'ls'. if it succeeds > >then, you now can download. in passive mode, both connections > >(control and data) to the ftp server is initiated from your > >ftp client and helps you bypass any probable firewall in between > >preventing the ftp server from initiating the data connection > >to you instead. > > ahh, that's the problem. i forgot that i was on a box that > had input deny as the default policy (but with allow established > connections. this was on FreeBSD). i just tried that and i > see that it's 5.2 on there so i guess i won't be grabbing > that tonight. i already have that. > > i've got some other questions about firewalls and networking > and i may as well ask them now that the topic comes up. > > 1. i've got ip-masq on my dialup-server. when i do > > netstat -a > > i see connections from the server to internal boxes and > connections from the server to external boxes, but i don't > see masqueraded connections. is there a way to see what > masqueraded connections are active?
ipchains -L -M -n > 2. in general, "input deny by default is more secure" than > input accept by default. of course. but if i've got > my firewall selectively allowing only trusted hosts to > connect to ports where daemons are listening > > e.g., the only service on box B1 is HTTP and i've got > a firewall rule that says only IPs in the range > ABC.DEF.GHI.0-16 can connect to B1:80 > > what benefit is there in denying by default to ports where > no servers are listening? (naturally, i'd let established > connections, started from inside, through the firewall). none really > > or maybe that's the wrong question. better would be, how > would an attacker, ah, attack a box like that where there > are no open ports to connect to? i don't think "deny by Syn Floods, Ping floods, unless you deny icmp as well. If your kernel is old, ye old ping of death will do you.. _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
