problems with ws-ftp, firewall and zope web sever.

Jianping Zhu Mon, 19 Aug 2002 14:59:56 -0700


I was trying to ftp files to the zope web sever in my redhat linux sever.
zope ftp uses port 8021 so  After open ws_ftp, I clicked connected, in the
session property/advaced i
 set the remote port number to 8021.network timeout to 60. in
 session property/General I set host name to my
 linux sever name which the zope websever reside in, I put the root
 manager name of zope website in the field of UserID and password and
 cliked ok
it gives info as following:
 connecting to 128.192.47.24:34864
 200 port command successfully.
 LIST
 150 opening ascii node data connection for the list
 !timer cancelled blocking call 
 !accept error: blocking call cancelled
 !Retrieve of folder list failed (O)
 
 I failed to do ftp with ws_ftp.
 
 Any suggestions will be greatly appreciated!!
 Thanks


we use iptables as firewall in the linux machine the iptables.rule is as
following
#==============================================================
# Iptables firewall script
#==============================================================


# Load modules
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Reset the rules
iptables -F
iptables -X
iptables -Z

# Setup default DROP policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Definitions
IFACE="eth0"
IPADDR="128.192.47.115"
TNET="128.192.0.0/16"
NAMESERVER_1="128.192.1.9"
NAMESERVER_2="128.192.1.193"
BROADCAST="128.192.255.255"
DHCPS="0.0.0.0"
BLAST="255.255.255.255"
LOOPBACK="127.0.0.1"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"
FISHER="128.192.47.142"

#====================================================================
## Kernel Flags
# Disable response to ping
 /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

#Disable response to broadcasts
 /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't Accept source routed packets
 /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Disable ICMP redirect acceptance
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Turn on reverse path filtering (prevent IP spoofing)
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
   /bin/echo "1" > ${interface}
done

# Don't Log spoofed packets, source routed packets, redirect packets
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/log_martians

# Turn off IP forwarding
/bin/echo "0" > /proc/sys/net/ipv4/ip_forward

#====================================================================
# Rules

## LOOPBACK
# Allow unlimited traffic on the loopback interface.

iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#=======================================================================
## SYN-FLOODING PROTECTION
# This rule maximises the rate of incoming connections. In order to do
# this we divert tcp  packets with the SYN bit set off to a user-defined
# chain. Up to limit-burst connections  can arrive in 1/limit seconds
# ..... in this case 4 connections in one second. After this, one
# of the burst is regained every second and connections are allowed again.
# The default limit is 3/hour. The default limit burst is 5.
#

# iptables -N syn-flood
# iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
# iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
# iptables -A syn-flood -j DROP

## Make sure NEW tcp connections are SYN packets
# iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j LOG \
#  --log-prefix "NonSYN New TCP: " --log-level warn
# iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP

#=====================================================================
## Fragments
# Deny and log all fragments except those from Fisher(nfs)(chg 11/9/01).

# iptables -A INPUT -i $IFACE -f -s $FISHER -j ACCEPT
iptables -A INPUT -i $IFACE -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i $IFACE -f -j DROP

#=====================================================================
## Anti-Spoofing
# Accept Broadcast Packets from Samba

iptables -A INPUT -i $IFACE -p udp -s $IPADDR -d $BROADCAST \
 --dport 137:139 -j ACCEPT
#=======================================================================
## Zope
# Allow inbound
iptables -A INPUT -i $IFACE -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --dport 8021 -j ACCEPT


#=======================================================================
#==================================================================
# FTP
# Allow FTP Outbound
iptables -A INPUT  -i $IFACE -p tcp --sport 21 -m state --state \
 ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 21 -m state --state \
 NEW,ESTABLISHED -j ACCEPT

# Active outbound FTP
iptables -A INPUT  -i $IFACE -p tcp --sport 20 -m state --state \
 ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 20 -m state --state \
 ESTABLISHED -j ACCEPT

# Passive inbound and outbound FTP
iptables -A INPUT  -i $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \
 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \
 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow inbound FTP
iptables -A INPUT  -i $IFACE -p tcp --dport 21 -m state --state \
 NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport 21 -m state --state \
 ESTABLISHED -j ACCEPT


# Active inbound FTP
iptables -A INPUT  -i $IFACE -p tcp --dport 20 -m state --state \
 ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport 20 -m state --state \
 ESTABLISHED,RELATED -j ACCEPT

























> 
> --------------------------------
> Jianping Zhu
> Department of Computer Science
> Univerity of Georgia 
> Athens, GA 30602
> Tel 706 5423900
> --------------------------------
> 
> 
> _______________________________________________
> Zope maillist  -  [EMAIL PROTECTED]
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
> 



-- 
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list

problems with ws-ftp, firewall and zope web sever.

Reply via email to