RE: FTP Through Firewall

Tue, 20 Feb 2001 08:50:04 -0800 

On Tue, 20 Feb 2001, Tanner, Robby wrote:

> Why is there no MASQing involved?
>
Because they are not a complete set of rules - just the ftp rules.
>
> I'm not a 100% on those rules.  Please verify my descriptions below...
>
[snip]
>
> > A good starting point would "modprobe ip_masq_ftp".  Then you may want
> > to make sure you have firewall rules like this:
> >
> > IPADDR = <internet address of your firewall>
> > EXTERNAL_INTERFACE = <interface connected to the internet
> > eth0, eth1, or
> > ppp0>
> > UNPRIVPORTS = "1024:65535"
> >
> >     # FTP client (21)
> >     # ---------------
> >
> >     # outgoing request
> >     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
> >              -s $IPADDR $UNPRIVPORTS \
> >              --destination-port 21 -j ACCEPT
> >
>
> Why would I include an output rule?  My default is to ACCEPT, should I
> change that?
>
That is up to you.  My default rule is to deny everything, and then add
in the stuff I want.  I feal safer that way.
>
> >     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
> >              --source-port 21 \
> >              -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> I accept packets on my internet card that are not connection requests and
> are coming from port 21 bound for my internet card anywhere in the range
> 1024:65535 (right?).
>
right.  These are the responces from the machine you are connecting to.
>
>
> >     # PORT mode data channel
> >     ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
> >              --source-port 20 \
> >              -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> Accept tcp packets (even connection requests?) to my internet card, from any
> server:port 20 that are bound for my internet address anywhere in the port
> range 1024:65535.
>
This is the data connection opened on the other end in responce to your
commands to the ftp server.
>
> >     ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> >              -s $IPADDR $UNPRIVPORTS \
> >              --destination-port 20 -j ACCEPT
>
> Send packets out the internet card, that are not connection requests from my
> internet address (1024:65535) bound for port 20.
>
The second half of the data channel - your machine talking to the ftp
server.  If you are downloading, this is where you tell the other end
you recieved the data packet ok, or to resend them.  This rule and the
one above it work as a pair.
>
>
Mikkel
-- 

    Do not meddle in the affairs of dragons,
 for you are crunchy and taste good with ketchup.



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to