Re: [Shorewall-users] FTP SSL

[William Papolis]

Whoop, you’re right. 

My mistake. What was I thinking?

The rest of my reco’s are good, right?

Bill

Sent from my iPhone

> On Mar 18, 2022, at 11:01 AM, Justin Pryzby  wrote:
> 
> This conversation has gone off into the weeds, but I should point out that:
> 
>> Yes, you can use SFTP (aka FTP over SSH)
> 
> SFTP is not actually "FTP over SSH", even if the commands are similar.
> 
>> Remember … FTPS or SFTP, whatever u want to call it, is just SSH providing a 
>> “secure tunnel” for your unencrypted FTP traffic.
> 
> SFTP is not FTPS, either.  It looks like FTPS (I always forget) is FTP+TLS on
> port 990/989.
> 
> BTW, SFTP isn't SCP either ;)
> 
> -- 
> Justin
> 
> 
> ___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP SSL

[Justin Pryzby]

This conversation has gone off into the weeds, but I should point out that:

> Yes, you can use SFTP (aka FTP over SSH)

SFTP is not actually "FTP over SSH", even if the commands are similar.

> Remember … FTPS or SFTP, whatever u want to call it, is just SSH providing a 
> “secure tunnel” for your unencrypted FTP traffic.

SFTP is not FTPS, either.  It looks like FTPS (I always forget) is FTP+TLS on
port 990/989.

BTW, SFTP isn't SCP either ;)

-- 
Justin


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP SSL

[Rodrigo Araujo]

Hello.

I think in this case, as he is using proftpd, that what he is using is
FTP over TLS, not SSH based SFTP.

To answer the original question: FTP over TLS is safe as long as:
- you enforce everyone using it (i.e. not allowing to fallback to non-
encrypted connections), configuration for that is software daemon
dependent;
- you use valid certificates, preferably signed by a CA you trust,
either your private CA or a well known public trusted CA, avoiding self
signed ones
- everyone accessing it validates the certificate (which may not be
easy to enforce, since it's very easy for users to just tick an option
on their client to ignore the certificate...)

Additionally, if you are setting up a public FTP server, be it SSH SFTP
or FTP over TLS, I always recommend you complement its security with
something like fail2ban to put off brute force attacks (it follows the
access log and tells shorewall, or other local machine firewall you may
be using, to block offenders for a certain time and they'll stop
hammering).

Hope this helps.


On Fri, 2022-03-18 at 10:38 -0400, William Papolis wrote:
> Remember … FTPS or SFTP, whatever u want to call it, is just SSH
> providing a “secure tunnel” for your unencrypted FTP traffic.
> 
> So … when trying to figure out “if SSH is secure” or any other
> encrypted traffic like HTTPS or whatever, you need to look closely at
> the encryption protocols you’re supporting. 
> 
> So, in your example you mentioned … “TLSv1 TLSv1.1 TLSv1.2”, is it
> secure, right?
> 
> For each of these, when you’re configuring it on your server, you
> need to choose a “cipher” to support. Some are “more secure” than
> others.
> 
> For context … TLSv1 was released in 1999 and deprecated in 2020 … so,
> NOT SECURE!
> 
> TLSv1.1 was released in 2006 and deprecated in 2020 … so, NOT SECURE!
> 
> For TLSv1 and TLSv1.1, I would disable support for those protocols on
> my server. Not even accept attempts to connect!
> 
> TLSv1.2 was released in 2008 and I would ONLY use it with a few
> cipher suites (like ChaCha20-Poly1305 or AES-GCM or AES-CCM or other
> “secure suites” so, YES, SECURE!
> 
> TLSv1.3 … it’s the latest and I would still be “picky” on which
> cipher suite I choose, (like ChaCha20-Poly1305) is kinda my current
> favorite.
> 
> So why do we continue to support older TLS versions? Well, for
> “compatibility”. We are always making a trade-off between “security”
> and “compatibility”.
> 
> If the level of “security” you choose, “blocks” many users from
> “getting access”, then it’s “not really working”, is it?
> 
> You need to make sure the client software that’s installed will work
> with the server software decisions you’re making.
> 
> I hope this helps. 
> 
> Bill
> 
> Sent from my iPhone
> 
> > On Mar 18, 2022, at 9:21 AM, Vieri Di Paola
> >  wrote:
> > 
> > Is FTPS considered insecure?
> > 
> > proftpd example:
> > 
> > ServerName "MH FTP server"
> > ServerType standalone
> > DefaultServer on
> > AccessGrantMsg "User %u has successfully logged into MH FTP
> > server."
> > RequireValidShell off
> > UseReverseDNS off
> > IdentLookups off
> > Port 0
> > UseIPv6 off
> > MaxInstances 30
> > 
> > Umask 022
> > PassivePorts 2990 3000
> > MultilineRFC2228 on
> > ShowSymlinks off
> > DefaultTransferMode binary
> > MaxClients 30 "ERROR: reached maximum user limit (%m)."
> > MaxClientsPerUser 20 "ERROR: reached maximum connections per user
> > limit (%m)."
> > MaxLoginAttempts 3
> > DefaultRoot ~
> > AllowOverwrite on
> > AllowOverride off
> > AllowRetrieveRestart on
> > AllowStoreRestart on
> > DelayEngine on
> > TLSEngine on
> > TLSLog /var/log/proftpd_tls.log
> > TLSProtocol TLSv1 TLSv1.1 TLSv1.2
> > TLSRequired on
> > TLSRSACertificateFile /etc/ssl/CA-HMN/certs/ftpservers_HM_cert.pem
> > TLSRSACertificateKeyFile
> > /etc/ssl/CA-HMN/certs/ftpservers_HM_key_nopassphrase.pem
> > TLSVerifyClient off
> > TLSOptions AllowClientRenegotiations NoSessionReuseRequired
> > ClamAV on
> > ClamServer 127.0.0.1
> > ClamPort 3310
> > 
> >  DenyAll
> > 
> > Include /etc/proftpd/user_list
> > 
> > 
> >  ServerName "MHSC FTP server"
> >  Port 21
> >  MasqueradeAddress mhsc.domain.org
> >  TransferLog /var/log/proftpd_xfer_mhsc.log
> > 
> > 
> >  ServerName "MHSI FTP server"
> >  Port 21
> >  MasqueradeAddress mhsi.domain.org
> >  TransferLog /var/log/proftpd_xfer_mhsi.log
> > 
> > User ftp
> > Group ftp
> > DebugLevel 0
> > SystemLog /var/log/proftpd.log
> > WtmpLog off
> > 
> > 
> > ___
> > Shorewall-users mailing list
> > Shorewall-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 
> 
> ___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net

Re: [Shorewall-users] FTP SSL

[William Papolis]

Hmm … I used the word “secure” and now, “upon reflection”, I think it’s the 
wrong word.

Instead of thinking about it as … “is it secure”? Maybe we should think about 
it as … “has anybody broken the encryption yet?”

Then … for the choices that aren’t “broken“ yet, maybe we think about those as 
… “harder to break?”

Because, in time, sooner or later, everything becomes “insecure” or “broken”. 
Our job, managing and maintaining servers is … to stay in the “safe zone” where 
stuff isn’t “insecure yet”,

Bill

Sent from my iPhone

> On Mar 18, 2022, at 10:38 AM, William Papolis  wrote:
> 
> Remember … FTPS or SFTP, whatever u want to call it, is just SSH providing a 
> “secure tunnel” for your unencrypted FTP traffic.
> 
> So … when trying to figure out “if SSH is secure” or any other encrypted 
> traffic like HTTPS or whatever, you need to look closely at the encryption 
> protocols you’re supporting. 
> 
> So, in your example you mentioned … “TLSv1 TLSv1.1 TLSv1.2”, is it secure, 
> right?
> 
> For each of these, when you’re configuring it on your server, you need to 
> choose a “cipher” to support. Some are “more secure” than others.
> 
> For context … TLSv1 was released in 1999 and deprecated in 2020 … so, NOT 
> SECURE!
> 
> TLSv1.1 was released in 2006 and deprecated in 2020 … so, NOT SECURE!
> 
> For TLSv1 and TLSv1.1, I would disable support for those protocols on my 
> server. Not even accept attempts to connect!
> 
> TLSv1.2 was released in 2008 and I would ONLY use it with a few cipher suites 
> (like ChaCha20-Poly1305 or AES-GCM or AES-CCM or other “secure suites” so, 
> YES, SECURE!
> 
> TLSv1.3 … it’s the latest and I would still be “picky” on which cipher suite 
> I choose, (like ChaCha20-Poly1305) is kinda my current favorite.
> 
> So why do we continue to support older TLS versions? Well, for 
> “compatibility”. We are always making a trade-off between “security” and 
> “compatibility”.
> 
> If the level of “security” you choose, “blocks” many users from “getting 
> access”, then it’s “not really working”, is it?
> 
> You need to make sure the client software that’s installed will work with the 
> server software decisions you’re making.
> 
> I hope this helps. 
> 
> Bill
> 
> Sent from my iPhone
> 
>> On Mar 18, 2022, at 9:21 AM, Vieri Di Paola  wrote:
>> 
>> Is FTPS considered insecure?
>> 
>> proftpd example:
>> 
>> ServerName "MH FTP server"
>> ServerType standalone
>> DefaultServer on
>> AccessGrantMsg "User %u has successfully logged into MH FTP server."
>> RequireValidShell off
>> UseReverseDNS off
>> IdentLookups off
>> Port 0
>> UseIPv6 off
>> MaxInstances 30
>> 
>> Umask 022
>> PassivePorts 2990 3000
>> MultilineRFC2228 on
>> ShowSymlinks off
>> DefaultTransferMode binary
>> MaxClients 30 "ERROR: reached maximum user limit (%m)."
>> MaxClientsPerUser 20 "ERROR: reached maximum connections per user limit 
>> (%m)."
>> MaxLoginAttempts 3
>> DefaultRoot ~
>> AllowOverwrite on
>> AllowOverride off
>> AllowRetrieveRestart on
>> AllowStoreRestart on
>> DelayEngine on
>> TLSEngine on
>> TLSLog /var/log/proftpd_tls.log
>> TLSProtocol TLSv1 TLSv1.1 TLSv1.2
>> TLSRequired on
>> TLSRSACertificateFile /etc/ssl/CA-HMN/certs/ftpservers_HM_cert.pem
>> TLSRSACertificateKeyFile
>> /etc/ssl/CA-HMN/certs/ftpservers_HM_key_nopassphrase.pem
>> TLSVerifyClient off
>> TLSOptions AllowClientRenegotiations NoSessionReuseRequired
>> ClamAV on
>> ClamServer 127.0.0.1
>> ClamPort 3310
>> 
>> DenyAll
>> 
>> Include /etc/proftpd/user_list
>> 
>> 
>> ServerName "MHSC FTP server"
>> Port 21
>> MasqueradeAddress mhsc.domain.org
>> TransferLog /var/log/proftpd_xfer_mhsc.log
>> 
>> 
>> ServerName "MHSI FTP server"
>> Port 21
>> MasqueradeAddress mhsi.domain.org
>> TransferLog /var/log/proftpd_xfer_mhsi.log
>> 
>> User ftp
>> Group ftp
>> DebugLevel 0
>> SystemLog /var/log/proftpd.log
>> WtmpLog off
>> 
>> 
>> ___
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP SSL

[William Papolis]

Remember … FTPS or SFTP, whatever u want to call it, is just SSH providing a 
“secure tunnel” for your unencrypted FTP traffic.

So … when trying to figure out “if SSH is secure” or any other encrypted 
traffic like HTTPS or whatever, you need to look closely at the encryption 
protocols you’re supporting. 

So, in your example you mentioned … “TLSv1 TLSv1.1 TLSv1.2”, is it secure, 
right?

For each of these, when you’re configuring it on your server, you need to 
choose a “cipher” to support. Some are “more secure” than others.

For context … TLSv1 was released in 1999 and deprecated in 2020 … so, NOT 
SECURE!

TLSv1.1 was released in 2006 and deprecated in 2020 … so, NOT SECURE!

For TLSv1 and TLSv1.1, I would disable support for those protocols on my 
server. Not even accept attempts to connect!

TLSv1.2 was released in 2008 and I would ONLY use it with a few cipher suites 
(like ChaCha20-Poly1305 or AES-GCM or AES-CCM or other “secure suites” so, YES, 
SECURE!

TLSv1.3 … it’s the latest and I would still be “picky” on which cipher suite I 
choose, (like ChaCha20-Poly1305) is kinda my current favorite.

So why do we continue to support older TLS versions? Well, for “compatibility”. 
We are always making a trade-off between “security” and “compatibility”.

If the level of “security” you choose, “blocks” many users from “getting 
access”, then it’s “not really working”, is it?

You need to make sure the client software that’s installed will work with the 
server software decisions you’re making.

I hope this helps. 

Bill

Sent from my iPhone

> On Mar 18, 2022, at 9:21 AM, Vieri Di Paola  wrote:
> 
> Is FTPS considered insecure?
> 
> proftpd example:
> 
> ServerName "MH FTP server"
> ServerType standalone
> DefaultServer on
> AccessGrantMsg "User %u has successfully logged into MH FTP server."
> RequireValidShell off
> UseReverseDNS off
> IdentLookups off
> Port 0
> UseIPv6 off
> MaxInstances 30
> 
> Umask 022
> PassivePorts 2990 3000
> MultilineRFC2228 on
> ShowSymlinks off
> DefaultTransferMode binary
> MaxClients 30 "ERROR: reached maximum user limit (%m)."
> MaxClientsPerUser 20 "ERROR: reached maximum connections per user limit (%m)."
> MaxLoginAttempts 3
> DefaultRoot ~
> AllowOverwrite on
> AllowOverride off
> AllowRetrieveRestart on
> AllowStoreRestart on
> DelayEngine on
> TLSEngine on
> TLSLog /var/log/proftpd_tls.log
> TLSProtocol TLSv1 TLSv1.1 TLSv1.2
> TLSRequired on
> TLSRSACertificateFile /etc/ssl/CA-HMN/certs/ftpservers_HM_cert.pem
> TLSRSACertificateKeyFile
> /etc/ssl/CA-HMN/certs/ftpservers_HM_key_nopassphrase.pem
> TLSVerifyClient off
> TLSOptions AllowClientRenegotiations NoSessionReuseRequired
> ClamAV on
> ClamServer 127.0.0.1
> ClamPort 3310
> 
>  DenyAll
> 
> Include /etc/proftpd/user_list
> 
> 
>  ServerName "MHSC FTP server"
>  Port 21
>  MasqueradeAddress mhsc.domain.org
>  TransferLog /var/log/proftpd_xfer_mhsc.log
> 
> 
>  ServerName "MHSI FTP server"
>  Port 21
>  MasqueradeAddress mhsi.domain.org
>  TransferLog /var/log/proftpd_xfer_mhsi.log
> 
> User ftp
> Group ftp
> DebugLevel 0
> SystemLog /var/log/proftpd.log
> WtmpLog off
> 
> 
> ___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP SSL

[Vieri Di Paola]

Is FTPS considered insecure?

proftpd example:

ServerName "MH FTP server"
ServerType standalone
DefaultServer on
AccessGrantMsg "User %u has successfully logged into MH FTP server."
RequireValidShell off
UseReverseDNS off
IdentLookups off
Port 0
UseIPv6 off
MaxInstances 30

Umask 022
PassivePorts 2990 3000
MultilineRFC2228 on
ShowSymlinks off
DefaultTransferMode binary
MaxClients 30 "ERROR: reached maximum user limit (%m)."
MaxClientsPerUser 20 "ERROR: reached maximum connections per user limit (%m)."
MaxLoginAttempts 3
DefaultRoot ~
AllowOverwrite on
AllowOverride off
AllowRetrieveRestart on
AllowStoreRestart on
DelayEngine on
TLSEngine on
TLSLog /var/log/proftpd_tls.log
TLSProtocol TLSv1 TLSv1.1 TLSv1.2
TLSRequired on
TLSRSACertificateFile /etc/ssl/CA-HMN/certs/ftpservers_HM_cert.pem
TLSRSACertificateKeyFile
/etc/ssl/CA-HMN/certs/ftpservers_HM_key_nopassphrase.pem
TLSVerifyClient off
TLSOptions AllowClientRenegotiations NoSessionReuseRequired
ClamAV on
ClamServer 127.0.0.1
ClamPort 3310

  DenyAll

Include /etc/proftpd/user_list


  ServerName "MHSC FTP server"
  Port 21
  MasqueradeAddress mhsc.domain.org
  TransferLog /var/log/proftpd_xfer_mhsc.log


  ServerName "MHSI FTP server"
  Port 21
  MasqueradeAddress mhsi.domain.org
  TransferLog /var/log/proftpd_xfer_mhsi.log

User ftp
Group ftp
DebugLevel 0
SystemLog /var/log/proftpd.log
WtmpLog off


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP SSL

[Robert K Coffman Jr. -Info From Data Corp.]

  
  
Real pro tip:  OpenVPN with tls-auth.  If your packets aren't
  signed, you can't snoop the port at all nor communicate with the
  service.



On 3/17/2022 8:53 AM, William Papolis
  wrote:

(PRO
  TIP: I also use a non-standard port for my VPN, in the 40K+ range.
  So anybody who’s trying to snoop has a lot of ports to check)
  



___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP SSL

[William Papolis]

You guys are confusing Ruud.

Bottom line … FTP is not encrypted.

Yes, you can use SFTP (aka FTP over SSH) but then pay attention to what you are 
doing … you’re creating access for ONE service, “SFTP”, thru your Firewall. 
What about all the other services (WWW? NFS? SAMBA? LDAP? And yes, Gopher?) Are 
you going to enable access for each one of those in your Firewall? That seems 
like a lot of work to create and maintain.

A VPN tunnel is “ONE service” that creates an encrypted connection between two 
endpoints, “your originating device” and “the destination network” AND it 
enables other services (unencrypted services like FTP, or Gopher or whatever) 
to use this tunnel and benefit from the encryption the VPN provides.

Said another way … your originating device can be “anywhere”, and after 
establishing a VPN connection to your destination network, your originating 
device IP becomes an IP on your VPN destination network. 

Said a 3ʳᵈ way … I have a network at my Home that I trust. When I go off to my 
coffee shop to work for a “change of scenery”, I open up a VPN connection to my 
Home network and now my device at the coffee shop claims an IP from my Home 
network. It’s as if I am physically located at my Home, except, I’m at the 
Coffee shop.

Using this VPN, any services I use on this Home network, like FTP, or NFS or 
Samba are ENCRYPTED all the way home, then past the endpoint are happening 
unencrypted on a single network, my Home network. In fact, they NEED to be 
unencrypted at HOME, because that’s the way they work.

You get it?

You might be wondering “what’s the endpoint?” For a VPN there are TWO 
endpoints. Your ORIGINATING endpoint (or IP), which can be variable based on 
where you are physically when you initiate your VPN connection (coffee shop, 
mall, whatever) and your DESTINATION endpoint which is Always the same. It’s 
the IP destination for your VPN connection. (PRO TIP: I also use a non-standard 
port for my VPN, in the 40K+ range. So anybody who’s trying to snoop has a lot 
of ports to check)

If you’ve never setup a VPN before these terms might be confusing. I know they 
were confusing for me. It took me a month to properly figure out how to setup 
my first VPN and explore the limits of this new functionality. I encourage you 
to check out WireGuard. Don’t use IPSec or OpenVPN. They suck! I can list many 
reasons WHY they suck. 

I hope this helps a little.

Bill



Sent from my iPhone

> On Mar 16, 2022, at 11:34 AM, Ruud Baart  wrote:
> 
> 
> Hi, 
> 
> I can find quite a lot of documentation concerning a FTP server. But I don't 
> find the way to do it.
> 
> My situation:
> 
> Internet <--> Firewall <--> FTP server
> 
> Firewall and FTP server are Debian 11 and I use the latest shorewall.
> 
> The Firewall has three public IP addresses, FTP server had no public IP 
> address. Firewall and FTP server are connected to a private 172.23.10.0/24 
> network.
> 
> This setup is new but in fact a replica of the existing situation (I'm moving 
> to a new hosting party). In the existing situation and new situation all 
> works fine (Debian 10) as long as I don't use a certificate. This is the DNAT 
> rule I use:
> 
> SECTION NEW
> FTP(DNAT)   wan1  lan1:$FTP_INT -  -  - $FTP_EXT
> 
> where $FTP_INT and $FTP_EXT the internal and external IP addresses are of the 
> FTPserver.
> 
> As said, works fine as long as I don't use a certificate. With TLS connection 
> Filezilla:
> 
> Status:Server sent passive reply with unroutable address. Using 
> server address instead.
> 
> I can login, problem must be related to data on port tcp/20. Can someone help 
> me and tell me what I'm doing wrong or what I'm missing. Probably something 
> with a helper.
> 
> ___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP SSL

[Robert K Coffman Jr. -Info From Data Corp.]

  
  
Not exactly true - you can use an VPN tunnel based on TLS and run
  FTP through the tunnel.
I also have no point :)

On 3/16/2022 12:36 PM, Tuomo Soini
  wrote:


  There is no way to do FTP with TLS/SSL completely secure way.

  



___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP SSL

[Benny Pedersen]

On 2022-03-16 17:36, Tuomo Soini wrote:


FTP is dead - move to SFTP which uses ssh protocol.


gopher is dead aswell, but i have a gopher server still working

i have no point :=)


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP SSL

[Ruud Baart]

Thanks, I already thought that was the problem. But you never know ...


On 16-3-2022 17:36, Tuomo Soini wrote:

On Wed, 16 Mar 2022 16:14:10 +0100
Ruud Baart  wrote:


Hi,

I can find quite a lot of documentation concerning a FTP server. But
I don't find the way to do it.

There is no way to do FTP with TLS/SSL completely secure way. That is
because conntrack module must be able to see data port in command packet
to open data connection and because TLS encrypts command channel
conntrack module can't handle it. That is why FTP has always been
horrible option for data transfers with firewalling.

FTP is dead - move to SFTP which uses ssh protocol.





___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP SSL

[Tuomo Soini]

On Wed, 16 Mar 2022 16:14:10 +0100
Ruud Baart  wrote:

> Hi,
> 
> I can find quite a lot of documentation concerning a FTP server. But
> I don't find the way to do it.

There is no way to do FTP with TLS/SSL completely secure way. That is
because conntrack module must be able to see data port in command packet
to open data connection and because TLS encrypts command channel
conntrack module can't handle it. That is why FTP has always been
horrible option for data transfers with firewalling.

FTP is dead - move to SFTP which uses ssh protocol.


-- 
Tuomo Soini 
Foobar Linux services
+358 40 5240030
Foobar Oy 


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP SSL

[Justin Pryzby]

On Wed, Mar 16, 2022 at 04:14:10PM +0100, Ruud Baart wrote:
> Hi,
> 
> I can find quite a lot of documentation concerning a FTP server. But I don't
> find the way to do it.
> 
> My situation:
> 
>     Internet <--> Firewall <--> FTP server
> 
> Firewall and FTP server are Debian 11 and I use the latest shorewall.
> 
> The Firewall has three public IP addresses, FTP server had no public IP
> address. Firewall and FTP server are connected to a private 172.23.10.0/24
> network.
> 
> This setup is new but in fact a replica of the existing situation (I'm

Are you using TLS with the old setup ?

> moving to a new hosting party). In the existing situation and new situation
> all works fine (Debian 10) as long as I don't use a certificate. This is the
> DNAT rule I use:
> 
>SECTION NEW
>FTP(DNAT)   wan1  lan1:$FTP_INT -  -  - $FTP_EXT
> 
> where $FTP_INT and $FTP_EXT the internal and external IP addresses are of
> the FTPserver.
> 
> As said, works fine as long as I don't use a certificate. With TLS
> connection Filezilla:
> 
>     Status:    Server sent passive reply with unroutable address. Using
> server address instead.

Maybe a good test is to do:
modprobe nf_conntrack_ftp

-- 
Justin


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] FTP SSL

[Ruud Baart]

Hi,

I can find quite a lot of documentation concerning a FTP server. But I 
don't find the way to do it.


My situation:

    Internet <--> Firewall <--> FTP server

Firewall and FTP server are Debian 11 and I use the latest shorewall.

The Firewall has three public IP addresses, FTP server had no public IP 
address. Firewall and FTP server are connected to a private 
172.23.10.0/24 network.


This setup is new but in fact a replica of the existing situation (I'm 
moving to a new hosting party). In the existing situation and new 
situation all works fine (Debian 10) as long as I don't use a 
certificate. This is the DNAT rule I use:


   SECTION NEW
   FTP(DNAT)   wan1  lan1:$FTP_INT -  -  - $FTP_EXT

where $FTP_INT and $FTP_EXT the internal and external IP addresses are 
of the FTPserver.


As said, works fine as long as I don't use a certificate. With TLS 
connection Filezilla:


    Status:    Server sent passive reply with unroutable address. Using 
server address instead.


I can login, problem must be related to data on port tcp/20. Can someone 
help me and tell me what I'm doing wrong or what I'm missing. Probably 
something with a helper.
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP shorewall Helper

[Naveen Neelakanta]

Thanks for the information.

On Wed, Jan 2, 2019 at 9:20 AM Tom Eastep  wrote:

> On 1/1/19 2:05 PM, Naveen Neelakanta wrote:
> > Hi Tom
> >
> > This works where zone 2 is the internet facing zone.
> >
> > ?if __FTP_HELPER
> >
> > IPTABLES(CT --zone 2 --helper ftp)  eth3 -
> > tcp21
> >
> > IPTABLES(CT --zone 2 --helper ftp):O 0.0.0.0/0 
> > eth3   tcp   21
> >
> > IPTABLES(CT --zone 2 --helper ftp)  veth-e3-p   -
> > tcp21
> >
> > IPTABLES(CT --zone 2 --helper ftp):O 0.0.0.0/0 
> > veth-e3-p   tcp 21
> >
> > ?endif
> >
> >
> > Please find the attached conntrack file, please let me know if this is
> > the right way to do it or is there a better way.
> >
> > Can I use a generic zone id in this case or just the zone which is
> > internet facing?
> >
>
> You may need to add additional entries for your other zones, if you need
> to provide ftp access from those zones.
>
> -Tom
> --
> Tom Eastep\   Q: What do you get when you cross a mobster with
> Shoreline, \ an international standard?
> Washington, USA \ A: Someone who makes you an offer you can't
> http://shorewall.org \   understand
>   \___
>
>
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP shorewall Helper

[Tom Eastep]

On 1/1/19 2:05 PM, Naveen Neelakanta wrote:
> Hi Tom
> 
> This works where zone 2 is the internet facing zone.
> 
> ?if __FTP_HELPER
> 
> IPTABLES(CT --zone 2 --helper ftp)  eth3 -  
> tcp    21
> 
> IPTABLES(CT --zone 2 --helper ftp):O 0.0.0.0/0 
> eth3   tcp   21
> 
> IPTABLES(CT --zone 2 --helper ftp)  veth-e3-p   -  
> tcp    21
> 
> IPTABLES(CT --zone 2 --helper ftp):O 0.0.0.0/0 
> veth-e3-p   tcp 21
> 
> ?endif
> 
> 
> Please find the attached conntrack file, please let me know if this is
> the right way to do it or is there a better way.
> 
> Can I use a generic zone id in this case or just the zone which is
> internet facing? 
> 

You may need to add additional entries for your other zones, if you need
to provide ftp access from those zones.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP shorewall Helper

[Naveen Neelakanta]

Hi Tom

This works where zone 2 is the internet facing zone.

?if __FTP_HELPER

IPTABLES(CT --zone 2 --helper ftp)  eth3 -
tcp21

IPTABLES(CT --zone 2 --helper ftp):O 0.0.0.0/0 eth3
tcp   21

IPTABLES(CT --zone 2 --helper ftp)  veth-e3-p   -
tcp21

IPTABLES(CT --zone 2 --helper ftp):O 0.0.0.0/0 veth-e3-p
tcp 21

?endif


Please find the attached conntrack file, please let me know if this is the
right way to do it or is there a better way.

Can I use a generic zone id in this case or just the zone which is internet
facing?


Thanks,

Naveen




On Tue, Jan 1, 2019 at 9:43 AM Tom Eastep  wrote:

> On 12/31/18 7:02 PM, Naveen Neelakanta wrote:
> > Hi Tom,
> >
> > After adding the zones in the conntrack , i start seeing this issue,
> > where the nf_nat_ftp is not getting called. If I remove the zones from
> > conntrack entry, I don't see the issue, but I need the zones.
> >
> > Any pointers to solve this will help.
> >
>
> I don't have any, as I have no experience with conntrack zones. I can
> envision potential problems with active mode FTP and zones if the zone
> for client->FTPserver traffic is different from the one for
> FTPserver->client traffic. You seem to be using "CT --zone x", according
> to your earlier post(s). I see that "CT --zone-orig x" and "CT
> --zone-reply x" are also supported, but again, I have no experience with
> using them.
>
> -Tom
> --
> Tom Eastep\   Q: What do you get when you cross a mobster with
> Shoreline, \ an international standard?
> Washington, USA \ A: Someone who makes you an offer you can't
> http://shorewall.org \   understand
>   \___
>
>


conntrack
Description: Binary data
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP shorewall Helper

[Tom Eastep]

On 12/31/18 7:02 PM, Naveen Neelakanta wrote:
> Hi Tom, 
> 
> After adding the zones in the conntrack , i start seeing this issue,
> where the nf_nat_ftp is not getting called. If I remove the zones from
> conntrack entry, I don't see the issue, but I need the zones.
> 
> Any pointers to solve this will help. 
> 

I don't have any, as I have no experience with conntrack zones. I can
envision potential problems with active mode FTP and zones if the zone
for client->FTPserver traffic is different from the one for
FTPserver->client traffic. You seem to be using "CT --zone x", according
to your earlier post(s). I see that "CT --zone-orig x" and "CT
--zone-reply x" are also supported, but again, I have no experience with
using them.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP shorewall Helper

[Naveen Neelakanta]

Hi Tom,

After adding the zones in the conntrack , i start seeing this issue, where
the nf_nat_ftp is not getting called. If I remove the zones from
conntrack entry, I don't see the issue, but I need the zones.

Any pointers to solve this will help.

Thanks,
Naveen


On Mon, Dec 31, 2018 at 7:01 PM Naveen Neelakanta <
naveen.b.neelaka...@gmail.com> wrote:

> Hi Tom,
>
> After adding the zones in the conntrack , i start seeing this issue, where
> the nf_nat_ftp is not getting called . If i remove the zones from
> conntrak entry , i don't see the issue, but i need the zones.
>
> Any pointers to solve this will help .
>
> Thanks,
> Naveen
>
>
> On Mon, Dec 31, 2018 at 6:21 PM Naveen Neelakanta <
> naveen.b.neelaka...@gmail.com> wrote:
>
>> No Tim i dont see the issue, i have shared the config file. I started
>> seeing this issue after upgrading to 5.2.0.4 , it was working in old
>> version 4.x.x . In the working case i see below connection entries for
>> active mode in connection track.
>>
>> ```ipv4 2 tcp  6 431961 ESTABLISHED src=10.16.8.2
>> dst=144.208.69.31 sport=42351 dport=21 src=144.208.69.31 dst=10.16.8.58
>> sport=21 dport=42351 [ASSURED] mark=0 zone=0 use=2
>> ipv4 2 tcp  6 50 TIME_WAIT src=10.16.8.2 dst=144.208.69.31
>> sport=42349 dport=21 src=144.208.69.31 dst=10.16.8.58 sport=21 dport=42349
>> [ASSURED] mark=0 zone=0 use=2```
>>
>> But in the non-working case, i only see one connection entry. Please find
>> the conntrack, snat, rule and shorewal.conf file attached.
>>
>> Thanks,
>> Naveen
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Dec 31, 2018 at 2:00 PM Tom Eastep  wrote:
>>
>>> On 12/31/18 12:19 PM, Naveen Neelakanta wrote:
>>> > 10.24.8.11 is the actual client IP from where I started the
>>> FTP connection.
>>> >
>>> > The FTP connection comes to the BOX where Shorewall is running and does
>>> > a SNAT(10.24.8.117). Then it goes through another NAT device which is
>>> > translating to 96.64.220.253.
>>> >
>>> > If FTP HELPER is enabled, how does the server know about the internal
>>> IP
>>> > 10.24.8.11 ( i was thinking FTP helper will modify the request with the
>>> > NATted IP).
>>> >
>>> >
>>>
>>> The FTP helper has a problem with PORT commands that are split over two
>>> packets. Are you seeing system log messages such as the following?
>>>
>>> 21:37:40 insert-master kernel: [832161.057782] nf_ct_ftp: dropping
>>>
>>> -Tom
>>> --
>>> Tom Eastep\   Q: What do you get when you cross a mobster with
>>> Shoreline, \ an international standard?
>>> Washington, USA \ A: Someone who makes you an offer you can't
>>> http://shorewall.org \   understand
>>>   \___
>>>
>>>
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP shorewall Helper

[Tom Eastep]

On 12/31/18 10:12 AM, Naveen Neelakanta wrote:
> The box on which the shorwall is running is doing the SNAT.

But it is doing SNAT of *outgoing* requests only, correct? There is no
SNAT occurring on the FTP control connection whose conntrack entry you
forwarded.

> aybe an
> external facing firewall is doing another NAT with the source ip (
> 96.64.220.253) hence I am not seeing any new connection back on my
> device. Should i see a new connection request from the server to
> ip 96.64.220.253 , will there be an entry created by FTP helper to
> accept the new connection request coming from the server (  i don't see
> it in the conntrack entry ).

Please understand that the problem you are seeing here has *nothing* to
do with the Shorewall box or with FTP helpers. The problem is that the
FTP server is refusing to create an active mode data connection to
10.24.8.11. Was that the actual IP address of the ftp client or was it
96.64.220.253?

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP shorewall Helper

[Naveen Neelakanta]

The box on which the shorwall is running is doing the SNAT.  Maybe an
external facing firewall is doing another NAT with the source ip (
96.64.220.253) hence I am not seeing any new connection back on my device.
Should i see a new connection request from the server to ip 96.64.220.253
, will there be an entry created by FTP helper to accept the new connection
request coming from the server (  i don't see it in the conntrack entry ).

I believe i don't need to add a DNAT entry to accept the new connection,
because i only have the client initiating a request from lan to inet.

Thanks,
Naveen


On Mon, Dec 31, 2018 at 9:30 AM Tom Eastep  wrote:

> On 12/30/18 5:33 PM, Naveen Neelakanta wrote:
> > Hi Tom,
> >
> > I see that only the FTP Passive Mode works, but is there any other
> > settings that i need to enable for the active mode to work. I believe
> > Linux nf_nat_ftp and nf_conntrack_ftp should take care of the mapping
> > correct and i see they are getting loaded.
> >
> > ubuntu@BR2-UBUNTU1:~$ ftp 144.208.69.31
> > Connected to 144.208.69.31.
> > 220-- Welcome to Pure-FTPd [privsep] [TLS] --
> > 220-You are user number 18 of 150 allowed.
> > 220-Local time is now 17:01. Server port: 21.
> > 220-This is a private system - No anonymous login
> > 220-IPv6 connections are also welcome on this server.
> > 220 You will be disconnected after 30 minutes of inactivity.
> > Name (144.208.69.31:ubuntu): dlpu...@dlptest.com
> > 
> > 331 User dlpu...@dlptest.com  OK. Password
> > required
> > Password:
> > 230 OK. Current restricted directory is /
> > Remote system type is UNIX.
> > Using binary mode to transfer files.
> > ftp> ls
> > 500 I won't open a connection to 10.24.8.11 (only to 96.64.220.253)
> > ftp: bind: Address already in use
>
> That is your FTP server refusing to create the active mode connection.
> Is there a router in front of the Shorewall box that is doing SNAT on
> incoming connections?
> >
> > conntrack  entry:
> > tcp  6 430709 ESTABLISHED src=10.24.8.11 dst=144.208.69.31
> > sport=53478 dport=21 src=144.208.69.31 dst=10.24.8.117 sport=21
> > dport=53478 [ASSURED] mark=0 zone=4 use=1
> >
> > 30-001011-4894:/log/home/test# shorewall show capabilities | grep FTP
> >FTP Helper: Available
> >FTP-0 Helper: Not available
> >TFTP Helper: Available
> >TFTP-0 Helper: Not available
> >
>
> The Shorewall box thinks that the client IP address is 10.24.8.11, while
> your FTP server thinks that it is 96.64.220.253.
>
> -Tom
> --
> Tom Eastep\   Q: What do you get when you cross a mobster with
> Shoreline, \ an international standard?
> Washington, USA \ A: Someone who makes you an offer you can't
> http://shorewall.org \   understand
>   \___
>
>
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP shorewall Helper

[Tom Eastep]

On 12/30/18 5:33 PM, Naveen Neelakanta wrote:
> Hi Tom, 
> 
> I see that only the FTP Passive Mode works, but is there any other
> settings that i need to enable for the active mode to work. I believe
> Linux nf_nat_ftp and nf_conntrack_ftp should take care of the mapping
> correct and i see they are getting loaded. 
> 
> ubuntu@BR2-UBUNTU1:~$ ftp 144.208.69.31
> Connected to 144.208.69.31.
> 220-- Welcome to Pure-FTPd [privsep] [TLS] --
> 220-You are user number 18 of 150 allowed.
> 220-Local time is now 17:01. Server port: 21.
> 220-This is a private system - No anonymous login
> 220-IPv6 connections are also welcome on this server.
> 220 You will be disconnected after 30 minutes of inactivity.
> Name (144.208.69.31:ubuntu): dlpu...@dlptest.com
> 
> 331 User dlpu...@dlptest.com  OK. Password
> required
> Password:
> 230 OK. Current restricted directory is /
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 500 I won't open a connection to 10.24.8.11 (only to 96.64.220.253)
> ftp: bind: Address already in use

That is your FTP server refusing to create the active mode connection.
Is there a router in front of the Shorewall box that is doing SNAT on
incoming connections?
> 
> conntrack  entry:
> tcp      6 430709 ESTABLISHED src=10.24.8.11 dst=144.208.69.31
> sport=53478 dport=21 src=144.208.69.31 dst=10.24.8.117 sport=21
> dport=53478 [ASSURED] mark=0 zone=4 use=1
> 
> 30-001011-4894:/log/home/test# shorewall show capabilities | grep FTP
>    FTP Helper: Available
>    FTP-0 Helper: Not available
>    TFTP Helper: Available
>    TFTP-0 Helper: Not available
> 

The Shorewall box thinks that the client IP address is 10.24.8.11, while
your FTP server thinks that it is 96.64.220.253.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP shorewall Helper

[Naveen Neelakanta]

Hi Tom,

I see that only the FTP Passive Mode works, but is there any other settings
that i need to enable for the active mode to work. I believe
Linux nf_nat_ftp and nf_conntrack_ftp should take care of the mapping
correct and i see they are getting loaded.

ubuntu@BR2-UBUNTU1:~$ ftp 144.208.69.31
Connected to 144.208.69.31.
220-- Welcome to Pure-FTPd [privsep] [TLS] --
220-You are user number 18 of 150 allowed.
220-Local time is now 17:01. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 30 minutes of inactivity.
Name (144.208.69.31:ubuntu): dlpu...@dlptest.com
331 User dlpu...@dlptest.com OK. Password required
Password:
230 OK. Current restricted directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 I won't open a connection to 10.24.8.11 (only to 96.64.220.253)
ftp: bind: Address already in use

conntrack  entry:
tcp  6 430709 ESTABLISHED src=10.24.8.11 dst=144.208.69.31 sport=53478
dport=21 src=144.208.69.31 dst=10.24.8.117 sport=21 dport=53478 [ASSURED]
mark=0 zone=4 use=1

30-001011-4894:/log/home/test# shorewall show capabilities | grep FTP
   FTP Helper: Available
   FTP-0 Helper: Not available
   TFTP Helper: Available
   TFTP-0 Helper: Not available

naveen:Desktop naveen$ cat shorewall.dump | grep ftp
2   120 CT tcp  --  *  *   0.0.0.0/0
0.0.0.0/0tcp dpt:21 flags:0x17/0x02 CT helper ftp
0 0 CT udp  --  *  *   0.0.0.0/0
0.0.0.0/0udp dpt:69 CT helper tftp
0 0 CT tcp  --  *  *   0.0.0.0/0
0.0.0.0/0tcp dpt:21 flags:0x17/0x02 CT helper ftp
0 0 CT udp  --  *  *   0.0.0.0/0
0.0.0.0/0udp dpt:69 CT helper tftp
nf_conntrack   87221  32
nf_nat_pptp,nf_conntrack_sip,nf_conntrack_irc,xt_nat,nf_nat_h323,nf_conntrack_ftp,nf_nat_sip,openvswitch,nf_conntrack_ipv4,nf_conntrack_tftp,xt_NETMAP,ipt_MASQUERADE,nf_nat_irc,xt_connmark,nf_conntrack_pptp,nf_conntrack_amanda,xt_helper,nf_conntrack_broadcast,nf_nat_ftp,nf_conntrack_sane,nf_nat_amanda,xt_connlimit,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_CT,nf_nat_masquerade_ipv4,nf_conntrack_h323,xt_conntrack,nf_nat_ipv4,nf_nat_tftp,nf_nat
nf_conntrack_ftp6942  3 nf_nat_ftp
nf_conntrack_tftp   4017  3 nf_nat_tftp
nf_nat 15273  13
nf_nat_pptp,nf_nat_proto_gre,xt_nat,nf_nat_h323,nf_nat_sip,openvswitch,xt_NETMAP,nf_nat_irc,nf_nat_ftp,nf_nat_amanda,nf_nat_masquerade_ipv4,nf_nat_ipv4,nf_nat_tftp
nf_nat_ftp  2092  0
nf_nat_tftp 1286  0

Please let me know if you need any other information.

Thanks,
Naveen

On Fri, Dec 28, 2018 at 2:52 PM Naveen Neelakanta <
naveen.b.neelaka...@gmail.com> wrote:

> Hi Tom ,
>
> I got it resolved be just moving the zone in the conntrack file above
> AUTOHELPER
>
> cat /etc/shorewall/conntrack
> #
> # Shorewall version 4 - conntrack File
> #
> # For information about entries in this file, type man shorewall-conntrack
> #
>
> ##
> ?FORMAT 3
> #ACTION SOURCE  DESTINATION PROTO   DEST
>   SOURCE  USER/  SWITCH
> #PORT(S)
>PORT(S) GROUP
> IPTABLES(CT --zone 2):O 0.0.0.0/0  eth3
> IPTABLES(CT --zone 2)  veth-e3-p   -
>
> ?if $AUTOHELPERS && __CT_TARGET
> ?if __FTP_HELPER
> CT:helper:ftp:PO-   -   tcp 21
> ?endif
> ?endif
>
> However, I was looking for DROP counters using   "iptables -L -nv | grep
> DROP".
> whats the right to way to display DROP flows in this scenario and check
> for the drop counters.
>
> Thanks,
> Naveen
>
> On Fri, Dec 28, 2018 at 1:41 PM Tom Eastep  wrote:
>
>> On 12/28/18 10:48 AM, Naveen Neelakanta wrote:
>> >
>> > Hi All,
>> >
>> > I am facing issues with ftp traffic, when the client initiates the
>> > ftp connection, I see it leave the internet interface after getting
>> > NATed with internet interface IP, I see the return traffic on the
>> > internet interface I don't see it getting forwarded, nor hitting the
>> > conntrack entry.
>> >  I have enabled the FTP helper in /etc/shorewall/conntrack , i am using
>> > shorewall version "5.2.0.4".
>> >
>> > Let me know if i am missing something.
>> >
>> > ?if $AUTOHELPERS && __CT_TARGET
>> > ?if __FTP_HELPER
>> > CT:helper:ftp:PO-   -   tcp 21
>> > ?endif
>> > ?endif
>> >
>> > i have the  AUTOHELPERS= yes  in shorewall.conf
>> >
>> > #lsmod | grep nf_nat_ftp
>> > nf_nat_ftp  2028  0
>> > nf_conntrack_ftp6942  3 nf_nat_ftp
>> > nf_nat 15273  12
>> >
>> 

Re: [Shorewall-users] FTP shorewall Helper

[Naveen Neelakanta]

Hi Tom ,

I got it resolved be just moving the zone in the conntrack file above
AUTOHELPER

cat /etc/shorewall/conntrack
#
# Shorewall version 4 - conntrack File
#
# For information about entries in this file, type man shorewall-conntrack
#
##
?FORMAT 3
#ACTION SOURCE  DESTINATION PROTO   DEST
SOURCE  USER/  SWITCH
#PORT(S)
 PORT(S) GROUP
IPTABLES(CT --zone 2):O 0.0.0.0/0  eth3
IPTABLES(CT --zone 2)  veth-e3-p   -

?if $AUTOHELPERS && __CT_TARGET
?if __FTP_HELPER
CT:helper:ftp:PO-   -   tcp 21
?endif
?endif

However, I was looking for DROP counters using   "iptables -L -nv | grep
DROP".
whats the right to way to display DROP flows in this scenario and check for
the drop counters.

Thanks,
Naveen

On Fri, Dec 28, 2018 at 1:41 PM Tom Eastep  wrote:

> On 12/28/18 10:48 AM, Naveen Neelakanta wrote:
> >
> > Hi All,
> >
> > I am facing issues with ftp traffic, when the client initiates the
> > ftp connection, I see it leave the internet interface after getting
> > NATed with internet interface IP, I see the return traffic on the
> > internet interface I don't see it getting forwarded, nor hitting the
> > conntrack entry.
> >  I have enabled the FTP helper in /etc/shorewall/conntrack , i am using
> > shorewall version "5.2.0.4".
> >
> > Let me know if i am missing something.
> >
> > ?if $AUTOHELPERS && __CT_TARGET
> > ?if __FTP_HELPER
> > CT:helper:ftp:PO-   -   tcp 21
> > ?endif
> > ?endif
> >
> > i have the  AUTOHELPERS= yes  in shorewall.conf
> >
> > #lsmod | grep nf_nat_ftp
> > nf_nat_ftp  2028  0
> > nf_conntrack_ftp6942  3 nf_nat_ftp
> > nf_nat 15273  12
> >
> nf_nat_pptp,nf_nat_proto_gre,xt_nat,nf_nat_h323,nf_nat_sip,openvswitch,nf_nat_irc,nf_nat_ftp,nf_nat_amanda,nf_nat_masquerade_ipv4,nf_nat_ipv4,nf_nat_tftp
> > nf_conntrack   87157  28
> >
> nf_nat_pptp,nf_conntrack_sip,nf_conntrack_irc,xt_nat,nf_nat_h323,nf_conntrack_ftp,nf_nat_sip,openvswitch,nf_conntrack_ipv4,nf_conntrack_tftp,ipt_MASQUERADE,nf_nat_irc,nf_conntrack_pptp,nf_conntrack_amanda,nf_conntrack_broadcast,nf_nat_ftp,nf_conntrack_sane,nf_nat_amanda,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_CT,nf_nat_masquerade_ipv4,nf_conntrack_h323,xt_conntrack,nf_nat_ipv4,nf_nat_tftp,nf_nat
> >
> >
>
> The helper is not required in order to establish the initial control
> connection. So if you are having problems with that part, the issue
> doesn't involve the helper. The helper get involved during establishment
> of the data connection created to handle get, put, ls, etc.
>
> It sounds like the 'client' in this case is in your local lan? If so,
> the CT rule would be hit in the nat table PREROUTING chain when the
> original SYN packet was received by the firewall from the client.
>
> I'll take a look if you:
>
> - shorewall reset
> - 
> - shorewall dump > shorewall.dump
> - Send me the shorewall.dump file (as an attachment) along with the IP
>   addresses of the client and server
>
> Thanks,
> -Tom
> --
> Tom Eastep\   Q: What do you get when you cross a mobster with
> Shoreline, \ an international standard?
> Washington, USA \ A: Someone who makes you an offer you can't
> http://shorewall.org \   understand
>   \___
>
> ___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] FTP shorewall Helper

[Naveen Neelakanta]

Hi All,

I am facing issues with ftp traffic, when the client initiates the
ftp connection, I see it leave the internet interface after getting NATed
with internet interface IP, I see the return traffic on the internet
interface I don't see it getting forwarded, nor hitting the conntrack entry.
 I have enabled the FTP helper in /etc/shorewall/conntrack , i am using
shorewall version "5.2.0.4".

Let me know if i am missing something.

?if $AUTOHELPERS && __CT_TARGET
?if __FTP_HELPER
CT:helper:ftp:PO-   -   tcp 21
?endif
?endif

i have the  AUTOHELPERS= yes  in shorewall.conf

#lsmod | grep nf_nat_ftp
nf_nat_ftp  2028  0
nf_conntrack_ftp6942  3 nf_nat_ftp
nf_nat 15273  12
nf_nat_pptp,nf_nat_proto_gre,xt_nat,nf_nat_h323,nf_nat_sip,openvswitch,nf_nat_irc,nf_nat_ftp,nf_nat_amanda,nf_nat_masquerade_ipv4,nf_nat_ipv4,nf_nat_tftp
nf_conntrack   87157  28
nf_nat_pptp,nf_conntrack_sip,nf_conntrack_irc,xt_nat,nf_nat_h323,nf_conntrack_ftp,nf_nat_sip,openvswitch,nf_conntrack_ipv4,nf_conntrack_tftp,ipt_MASQUERADE,nf_nat_irc,nf_conntrack_pptp,nf_conntrack_amanda,nf_conntrack_broadcast,nf_nat_ftp,nf_conntrack_sane,nf_nat_amanda,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_CT,nf_nat_masquerade_ipv4,nf_conntrack_h323,xt_conntrack,nf_nat_ipv4,nf_nat_tftp,nf_nat


Thanks,
Naveen
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP ...

[Bill Shirley]

You should run tcpdump or wireshark on both interfaces of the Shorewall router
interfaces to see what's happening.  Example:
 dmz   eth0      router     eth1
FTP    <-->    Shorewall    <-->    client

tcpdump -n -i eth0 port 21 or portrange 6-65530
AND
tcpdump -n -i eth1 port 21 or portrange 6-65530
What ports are getting forwarded?

Note to all: The original post never mentioned SSL.  Did
I miss something?

Bill

On 12/6/2017 2:34 PM, Paolo Andretta wrote:

On Wed, 6 Dec 2017, Thomas Deutschmann wrote:


FTP is always "special"  ... :-)

[...]

What am I missing?

I don't think it matters, but the natted FTP server is a CentOS 7.x
with ProFTPd.


http://www.proftpd.org/docs/howto/NAT.html

You have to tell your ftp server which passive ports should be used.

You have to open (forward) all of these ports because you cannot know
which port will be selected for the specific connection. Helpers like
ip_conntrack_ftp don't support encryption.


Already tried before without result, but tried again:

In proftpd.conf:

MasqueradeAddress A.B.C.D
PassivePorts 6 65530

I shorewall rules:

FTP(DNAT)    net dmz:192.168.109.71 tcp  -   -    A.B.C.D
DNAT    net dmz:192.168.109.71 tcp 6:65530 - A.B.C.D


No real difference:

# ftp SERVER.com
Connected to SERVER.com.
220 FTP Server ready.
Name (SERVER.com:root): USER-ftp
331 Password required for USER-ftp
Password:
230 User USER-ftp logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> dir
227 Entering Passive Mode (A,B,C,D,252,213).
ftp: connect: No route to host
ftp> passive
Passive mode off.
ftp> dir
200 PORT command successful
425 Unable to build data connection: Connection timed out


So:

- attive mode works from some connections and not from others (why?)
- passive mode never works

Thanks, Paolo


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP ...

[Paolo Andretta]

On Wed, 6 Dec 2017, Thomas Deutschmann wrote:


FTP is always "special"  ... :-)

[...]

What am I missing?

I don't think it matters, but the natted FTP server is a CentOS 7.x
with ProFTPd.


http://www.proftpd.org/docs/howto/NAT.html

You have to tell your ftp server which passive ports should be used.

You have to open (forward) all of these ports because you cannot know
which port will be selected for the specific connection. Helpers like
ip_conntrack_ftp don't support encryption.


Already tried before without result, but tried again:

In proftpd.conf:

MasqueradeAddress A.B.C.D
PassivePorts 6 65530

I shorewall rules:

FTP(DNAT)net dmz:192.168.109.71 tcp  -   -A.B.C.D
DNATnet dmz:192.168.109.71 tcp 6:65530 -   A.B.C.D


No real difference:

# ftp SERVER.com
Connected to SERVER.com.
220 FTP Server ready.
Name (SERVER.com:root): USER-ftp
331 Password required for USER-ftp
Password:
230 User USER-ftp logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> dir
227 Entering Passive Mode (A,B,C,D,252,213).
ftp: connect: No route to host
ftp> passive
Passive mode off.
ftp> dir
200 PORT command successful
425 Unable to build data connection: Connection timed out


So:

- attive mode works from some connections and not from others (why?)
- passive mode never works

Thanks, Paolo


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP ...

[Thomas Deutschmann]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-12-06 04:15, Benny Pedersen via Shorewall-users wrote:
>> You have to open (forward) all of these ports because you cannot 
>> know which port will be selected for the specific connection. 
>> Helpers like ip_conntrack_ftp don't support encryption.
> 
> is ssl tls using non default port 21 ?
> 
> conntracker only know default port 21, but if ssl tls using other 
> ports it could be added to conntracker imho so it works the kernel 
> way
> 
> no ?

Well, there are two FTP modes using TLS:

- - Explicit FTPS (you connect via plaintext but immediately issue
  "AUTH TLS" command to switch into secure (TLS) mode).

- - Implicit FTPS (right from the beginning you create a TLS connection).

Due to this technical requirement (allow plaintext vs require TLS from
the beginning) both modes cannot run together. You need an own port for
each. Explicit FTPS keeps using port 21 in most setups and implicit FTPS
is using port 990 per default. However, some people don't like that and
say "Implicit FTPS is dead, use explicit FTPS (i.e. "AUTH TLS") only"
(same with IMAP: port 143 and "STARTSSL" vs. port 993 requiring TLS from
the beginning). I prefer the latter because have you checked all the
clients out there if they gracefully handle a REJECT when tryting to
swich to TLS mode? My fear is that some clients maybe continue in
plaintext...

Anyways, encryption happens in user space (=ftpd) but the helper modules
are running in the kernel. To work they must read what the ftpd is doing.
Normally they hook into the traffic so they know "Ah, ftpd told client to
use port X for this connection" [1] and open the port. But due to TLS they
cannot read the communication (doesn't matter if using explicit or
implicit mode or if you just use another port).

That's why your only option left when you want to provide a stable but
firewalled FTP service is to instruct your ftpd to use specific ports.
This allows you to set up your firewall accordingly.


See also:
=
[1] 
https://github.com/torvalds/linux/blob/master/net/netfilter/nf_conntrack_ftp.c#L291


- -- 
Regards,
Thomas Deutschmann / Gentoo Linux Developer
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQKTBAEBCgB9FiEEM8WEgsQCKS0uPFwGlwn5DDyW/8gFAlooGpdfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMz
QzU4NDgyQzQwMjI5MkQyRTNDNUMwNjk3MDlGOTBDM0M5NkZGQzgACgkQlwn5DDyW
/8guBA//Slx391nlH3jpz+fbbGn1aEqHHZywgJjoNGm2OiYhMG4TiRdLPvqbG7sb
TZMD/4+UwBPi066IceI2RSEiyU/ckCoA2UYJZvtqYmSPPxIsoJLmx2WuXQDK9hNu
X9BdHxUAly7yALl8tiE6B3DH26+hUEER9HvoIpJTCdTMjTvk/uUxwiG6IuI+au44
6xZYC8KHJn0Xlyttol50PxEUa4jvnYsAYPLiEFl3yA5zCQFGFKOb7i4IvF1Me86M
sQshbjPFAQ7DfyPvuVhENQwLaIRviMhXCIyRDhnQ3ifnaZid4xGOfeKgJM2t7aN4
Xc2r/ZhlEGTaMO7MIsqXgpz+PXUrI6+3+nIxbCg0yywO6kps5AqVGhYlPXSMGpOX
DYYE5hECsxLs49R/pgqlHgA9s4W3jwnZQF87wMiou/seJl/ySllXmrOpOk+jVV9j
SzAaA1EZb51cKtzqAfG1SUEqZO8Kjng34mz3qGTfJXg7eYFAL9tvKndXU1hV03S9
0RvfbCElQJ1bMTfozBn306a9h93NjjDBYb8l3/5tDlt6QJq0gZ+M+xXBXKB7xGTI
gaLCp4pvDc+gVqg4zt8imlo2m7ZePcjrn9nOR7LSCtAx0PdFQxfVsJHpaCXi/b9U
hHJ5nZu/vefywrvGbx11LKz8fycAktxH/s+iU7IIQPWCqeVc974=
=lnkc
-END PGP SIGNATURE-

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP ...

[Lennart Sorensen]

On Wed, Dec 06, 2017 at 04:15:58AM +0100, Benny Pedersen via Shorewall-users 
wrote:
> is ssl tls using non default port 21 ?
> 
> conntracker only know default port 21, but if ssl tls using other ports it
> could be added to conntracker imho so it works the kernel way

If ftp runs the control data over ssl, there is no way the connection
tracker can inspect the protocol and help in any way.  So ftp over ssl
clearly can't work the same as ftp as far as opening ports in a firewall
is concerned using connnection tracking.

For ftps you would have to use a fixed set of always forwarded ports
for the data channel instead of connection tracking.

-- 
Len Sorensen

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP ...

[Benny Pedersen via Shorewall-users]

Benny Pedersen via Shorewall-users skrev den 2017-12-06 04:15:

Authentication-Results: linode.junc.eu; dmarc=pass (p=none dis=none) 
header.from=lists.sourceforge.net

Authentication-Results: linode.junc.eu;
	dkim=pass (1024-bit key) header.d=lists.sourceforge.net 
header.i=@lists.sourceforge.net header.b=NSlY8pfl;
	dkim=fail reason="signature verification failed" (1024-bit key) 
header.d=sourceforge.net header.i=@sourceforge.net header.b=OJMHswLk;
	dkim=fail reason="signature verification failed" (1024-bit key) 
header.d=sf.net header.i=@sf.net header.b=YEbGtWSQ;
	dkim=fail reason="signature verification failed" (1024-bit key) 
header.d=junc.eu header.i=@junc.eu header.b=yZoyvq9t;

dkim-atps=neutral
Received-SPF: Pass (mailfrom) identity=mailfrom; 
client-ip=216.34.181.88; helo=lists.sourceforge.net; 
envelope-from=shorewall-users-boun...@lists.sourceforge.net; 
receiver=m...@junc.eu
Authentication-Results: linode.junc.eu; spf=pass (mailfrom) 
smtp.mailfrom=lists.sourceforge.net (client-ip=216.34.181.88; 
helo=lists.sourceforge.net; 
envelope-from=shorewall-users-boun...@lists.sourceforge.net; 
receiver=m...@junc.eu)
Received: from lists.sourceforge.net (lists.sourceforge.net 
[216.34.181.88])

by linode.junc.eu (Postfix) with ESMTPS id E2FF01BE055
for ; Wed,  6 Dec 2017 03:35:43 + (GMT)


oh werry well done breaking dmarc dkim spf

i am unsubscribing now

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP ...

[Benny Pedersen via Shorewall-users]

Thomas Deutschmann skrev den 2017-12-06 03:45:


What am I missing?

I don't think it matters, but the natted FTP server is a CentOS 7.x
with ProFTPd.


http://www.proftpd.org/docs/howto/NAT.html

You have to tell your ftp server which passive ports should be used.

You have to open (forward) all of these ports because you cannot know
which port will be selected for the specific connection. Helpers like
ip_conntrack_ftp don't support encryption.


is ssl tls using non default port 21 ?

conntracker only know default port 21, but if ssl tls using other ports 
it could be added to conntracker imho so it works the kernel way


no ?

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP ...

[Thomas Deutschmann]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-12-05 14:38, Paolo wrote:
> 
> FTP is always "special"  ... :-)
> 
> [...]
> 
> What am I missing?
> 
> I don't think it matters, but the natted FTP server is a CentOS 7.x
> with ProFTPd.

http://www.proftpd.org/docs/howto/NAT.html

You have to tell your ftp server which passive ports should be used.

You have to open (forward) all of these ports because you cannot know
which port will be selected for the specific connection. Helpers like
ip_conntrack_ftp don't support encryption.

It is enough to open only port 21 + ( 2 additional passive ports) *
parallel connections. I.e. if you only need to support 5 concurrent
FTP connections, set "PassivePorts 6 60010" and open/forward port
21 and 6-60010. But keep in mind: If you get 6 or more concurrent
connections, these connection will fail without a user friendly error
message. So either allow more connections to be sure and/or enforce
user limits in addition.


- -- 
Regards,
Thomas Deutschmann / Gentoo Linux Developer
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQKTBAEBCgB9FiEEM8WEgsQCKS0uPFwGlwn5DDyW/8gFAlonWchfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMz
QzU4NDgyQzQwMjI5MkQyRTNDNUMwNjk3MDlGOTBDM0M5NkZGQzgACgkQlwn5DDyW
/8hKbxAAoibuaH7XDATL3IVBldMaJZBVVwZ+qcJ16eN7Q0Hxp4UJEsp1j353hfaP
og28lIujIbxZ+grjluYMLFrsEcm0lvtcz/97yBiNhQDPLYCYv2XzT+2BV/w/GzJr
gDmMxyAMWyL15tM0d3nWTdO20oWlYXc20Do6rUbTec5lu3lfwwiPUNl6qCCq6r38
qdoyIGAQJ1jAZ9WedM4Xg90RjKf/iMFotnhK4zf/I3k9GX8CfWUM7Khn8tChU4SD
8Jph4v/CwTwOGsXzi6LGjNawE4c3jNyr1ETdsX6YJOgTemlPVEVDCItcsJaxQCDr
Poq040B34nuibreTo74VFZJ5xG/0sRDFi+rj3CLodsCLpWRrKID7Tof2Qevw4uss
ctR9JT81E6M9WObxYGZevMJ5MSPmphkWde0lVSI++68ZisX4z36njljQMh+Joahk
V3es7X6uQk57FiLN31oowl561J04bh5IHNiNJ0Wk4rnXIdbwIsVmDggaisB4AaX5
ZVSczl2L3QLtkMe2s2Crn2+08f0z8dpC5PmrSgoxMZGfmrTeqCZt01QoUymIxCrH
KSL6YHJ2KAXlYfuKn7tQv1jFNkk6UxERTtgIT88UMIVH74ejS+hE40JdzO4gB5dp
l+tETH8cLHPZ9GTDVQ8/prgC85m8QYEo6WMWiJdq71k+TQkKeVY=
=LRH2
-END PGP SIGNATURE-

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] FTP ...

[Paolo]

FTP is always "special"  ... :-)

For many years I have configured FTP like other protocols:

DNATnet dmz:192.168.109.71 tcp 20,21,25,80,443-  A.B.C.D

Where A.B.C.D is an alias public IP (eth0:N)
192.168.109.71 is the server internal IP

It has worked fine except for same clients that had some coonections 
problems, but playing with attive/passive mode in the client usually they 
can connect and work.

Now there are some clients that aren't able to use FTP with this servers.
I noticied this also from one on my boxes that is under a double  or 
triple NAT:


# ftp SERVER.com
Connected to SERVER.com.
220 FTP Server ready.
Name (SERVER.com:root): user-ftp
331 Password required for user-ftp
Password:
230 User user-ftp logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> debug
Debugging on (debug=1).
ftp> ls
---> PORT 192,168,111,107,196,255
200 PORT command successful
---> LIST
425 Unable to build data connection: Connection timed out



# ftp SERVER.com
Connected to SERVER.com.
220 FTP Server ready.
Name (SERVER.com:root): user-ftp
331 Password required for user-ftp
Password:
230 User user-ftp logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> dir
227 Entering Passive Mode (192,168,109,71,178,174).
ftp: connect: Connection timed out
ftp> bye
421 Idle timeout (600 seconds): closing control connection


# ftp metalluxlight.com
Connected to SERVER.com.
220 FTP Server ready.
Name (SERVER.com:root): user-ftp
331 Password required for user-ftp
Password:
230 User user-ftp logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> passive
Passive mode off.
ftp> dir
200 PORT command successful
425 Unable to build data connection: Connection timed out


If I try from another client box (very similar to the previous), I got:

# ftp SERVER.com
Connected to SERVER.com.
220 FTP Server ready.
Name (SERVER.com:root): user-ftp
331 Password required for user-ftp
Password:
230 User user-ftp logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 user-ftp user  5500719 Mar 14  2017 CompanyProfile.pdf
-rw-r--r--   1 user-ftp user  390 Nov  9  2015 LEGGIMI.txt
drwxr-xr-x   3 root root 4096 Jul  4 13:51 cataloghi
-rw-r--r--   1 user-ftp user   53 Dec 29  2015 
google0f8da78f93df36d9.html
 . . .
-rw-r--r--   1 user-ftp user 3353 Oct  7  2016 wp-load.php
-rw-r--r--   1 user-ftp user34057 Oct  7  2016 wp-login.php
-rw-r--r--   1 user-ftp user 7993 Jan 11  2017 wp-mail.php
-rw-r--r--   1 user-ftp user13920 Oct  7  2016 wp-settings.php
-rw-r--r--   1 user-ftp user29890 Oct  7  2016 wp-signup.php
-rw-r--r--   1 user-ftp user 4035 Nov  9  2015 wp-trackback.php
-rw-r--r--   1 user-ftp user 3064 Oct  7  2016 xmlrpc.php
226 Transfer complete

This works without problem and is under a double NAT (different 
connection).



Also tried the syntax (in the firewall obviously):

FTP(DNAT)net dmz:192.168.109.71 tcp  -   -A.B.C.D

# uname -a
Linux srv-gw 4.4.49-1-pve #1 SMP PVE 4.4.49-86 (Thu, 30 Mar 2017 08:39:20 
+0200) x86_64 GNU/Linux

# shorewall version
4.6.4.3

Debian 8.7


ip_set 45056  2 ip_set_hash_ip,xt_set
ip_set_hash_ip 32768  0
iptable_filter 16384  4
iptable_mangle 16384  1
iptable_nat16384  1
iptable_raw16384  0
ip_tables  28672  4 
iptable_filter,iptable_mangle,iptable_nat,iptable_raw
ipt_ah 16384  0
ipt_CLUSTERIP  16384  0
ipt_ECN16384  0
ipt_MASQUERADE 16384  0
ipt_REJECT 16384  8
ipt_rpfilter   16384  0
 . . .
nf_conntrack  106496  34 
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_helper,nf_conntrack_proto_udplite,nf_nat,xt_state,xt_connlimit,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,nf_nat_masquerade_ipv4,ipt_CLUSTERIP,nf_conntrack_proto_sctp,nf_conntrack_netlink,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp

nf_conntrack_amanda16384  1 nf_nat_amanda
nf_conntrack_broadcast16384  2 nf_conntrack_netbios_ns,nf_conntrack_snmp
nf_conntrack_ftp   20480  1 nf_nat_ftp
nf_conntrack_h323  77824  1 nf_nat_h323
nf_conntrack_ipv4  16384  108
nf_conntrack_irc   16384  1 nf_nat_irc
nf_conntrack_netbios_ns16384  0
nf_conntrack_netlink36864  0
nf_conntrack_pptp  20480  1 nf_nat_pptp
nf_conntrack_proto_gre16384  1 nf_conntrack_pptp
nf_conntrack_proto_sctp20480  0
nf_conntrack_proto_udplite16384  0

Re: [Shorewall-users] FTP Stopped Working

[Benny Pedersen]

On August 14, 2014 2:24:34 AM cac...@quantum-sci.com wrote:

 ?if __FTP_HELPER
 CT:helper:ftp:PO--tcp21p.
 ?endif

21p ?

Are ftps running onport 21 ?

--
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP Stopped Working

[Tom Eastep]

On 8/21/2014 10:00 AM, Benny Pedersen wrote:
 On August 14, 2014 2:24:34 AM cac...@quantum-sci.com wrote:
 
 ?if __FTP_HELPER
 CT:helper:ftp:PO--tcp21p.
 ?endif
 
 21p ?
 
 Are ftps running onport 21 ?

Think it is time to see the output of 'shorewall dump' collected as
described at http://www.shorewall.net/support.htm#Guidelines

-Tom
-- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \



signature.asc
Description: OpenPGP digital signature
--
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP Stopped Working

[CACook]

Tom Eastep wrote:
 On 8/12/2014 8:38 PM, cac...@quantum-sci.com wrote:
 Tom Eastep wrote:
 So you felt that your setting of AUTOHELPERS was irrelevant because your
 kernel is earlier that 3.5?
 I don't understand what you're saying.  That page says, By making
 AUTOHELPERS=Yes the default, users can upgrade their systems to a 3.5+
 kernel without disrupting the operation of their firewalls. 

 My kernel is above 3.5.  It's 3.14-1.  It seems then that AUTOHELPERS
 should be Yes.

 You have confirmed that?
# uname -r
3.14-1-amd64

A search in /etc/shorewall shows that only shorewall.conf has
AUTOHELPERS, and in shorewall.conf there is only one instance: 
AUTOHELPERS=Yes

I've never changed that.





--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP Stopped Working

[Tom Eastep]

On 8/13/2014 6:58 AM, cac...@quantum-sci.com wrote:
 
 Tom Eastep wrote:
 On 8/12/2014 8:38 PM, cac...@quantum-sci.com wrote:
 Tom Eastep wrote:
 So you felt that your setting of AUTOHELPERS was irrelevant because your
 kernel is earlier that 3.5?
 I don't understand what you're saying.  That page says, By making
 AUTOHELPERS=Yes the default, users can upgrade their systems to a 3.5+
 kernel without disrupting the operation of their firewalls. 

 My kernel is above 3.5.  It's 3.14-1.  It seems then that AUTOHELPERS
 should be Yes.

 You have confirmed that?
 # uname -r
 3.14-1-amd64
 
 A search in /etc/shorewall shows that only shorewall.conf has
 AUTOHELPERS, and in shorewall.conf there is only one instance: 
 AUTOHELPERS=Yes
 
 I've never changed that.

Okay. Please forward the output of 'shorewall show raw' as an attachment.

Thanks,
-Tom
-- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \



signature.asc
Description: OpenPGP digital signature
--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP Stopped Working

[CACook]

Attached.

Tom Eastep wrote:
 On 8/13/2014 6:58 AM, cac...@quantum-sci.com wrote:
 Tom Eastep wrote:
 On 8/12/2014 8:38 PM, cac...@quantum-sci.com wrote:
 Tom Eastep wrote:
 So you felt that your setting of AUTOHELPERS was irrelevant because your
 kernel is earlier that 3.5?
 I don't understand what you're saying.  That page says, By making
 AUTOHELPERS=Yes the default, users can upgrade their systems to a 3.5+
 kernel without disrupting the operation of their firewalls. 

 My kernel is above 3.5.  It's 3.14-1.  It seems then that AUTOHELPERS
 should be Yes.

 You have confirmed that?
 # uname -r
 3.14-1-amd64

 A search in /etc/shorewall shows that only shorewall.conf has
 AUTOHELPERS, and in shorewall.conf there is only one instance: 
 AUTOHELPERS=Yes

 I've never changed that.
 Okay. Please forward the output of 'shorewall show raw' as an attachment.

 Thanks,
 -Tom


 --


 ___
 Shorewall-users mailing list
 Shorewall-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/shorewall-users

Shorewall 4.6.2.2 RAW Table at hex - Wed Aug 13 08:14:28 PDT 2014

Counters reset Tue Aug 12 09:11:41 PDT 2014

Chain PREROUTING (policy ACCEPT 4346K packets, 2601M bytes)
 pkts bytes target prot opt in out source   destination 


Chain OUTPUT (policy ACCEPT 5455K packets, 5552M bytes)
 pkts bytes target prot opt in out source   destination 

--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP Stopped Working

[Tom Eastep]

On 8/13/2014 8:16 AM, cac...@quantum-sci.com wrote:
 
 Attached.
 

Hmmm -- that's not good.

Please forward:

- the setting of HELPERS in shorewall.conf
- the output of 'shorewall show -f capabilities'
- the contents of /etc/shorewall/conntrack

Thanks,
-Tom
-- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \



signature.asc
Description: OpenPGP digital signature
--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP Stopped Working

[CACook]

Tom Eastep wrote:
 On 8/13/2014 8:16 AM, cac...@quantum-sci.com wrote:
 Attached.

 Hmmm -- that's not good.

 Please forward:

 - the setting of HELPERS in shorewall.conf
HELPERS=
as from the factory.

 - the output of 'shorewall show -f capabilities'
Attached.

 - the contents of /etc/shorewall/conntrack
Don't got no conntrack.





#
# Shorewall 4.6.2.2 detected the following iptables/netfilter capabilities - 
Wed Aug 13 09:04:09 PDT 2014
#
ACCOUNT_TARGET=
ADDRTYPE=Yes
AMANDA_HELPER=Yes
ARPTABLESJF=
AUDIT_TARGET=Yes
BASIC_EMATCH=Yes
BASIC_FILTER=Yes
CAPVERSION=40600
CHECKSUM_TARGET=Yes
CLASSIFY_TARGET=Yes
COMMENTS=Yes
CONDITION_MATCH=
CONNLIMIT_MATCH=Yes
CONNMARK_MATCH=Yes
CONNMARK=Yes
CONNTRACK_MATCH=Yes
CT_TARGET=Yes
DSCP_MATCH=Yes
DSCP_TARGET=Yes
EMULTIPORT=Yes
ENHANCED_REJECT=Yes
EXMARK=Yes
FLOW_FILTER=Yes
FTP0_HELPER=
FTP_HELPER=Yes
FWMARK_RT_MASK=Yes
GEOIP_MATCH=
GOTO_TARGET=Yes
H323_HELPER=Yes
HASHLIMIT_MATCH=Yes
HEADER_MATCH=
HELPER_MATCH=Yes
IMQ_TARGET=
IPMARK_TARGET=
IPP2P_MATCH=
IPRANGE_MATCH=Yes
IPSET_MATCH=
IPSET_MATCH_COUNTERS=
IPSET_MATCH_NOMATCH=
IPSET_V5=
IPTABLES_S=Yes
IRC0_HELPER=
IRC_HELPER=Yes
KERNELVERSION=31400
KLUDGEFREE=Yes
LENGTH_MATCH=Yes
LOGMARK_TARGET=
LOG_TARGET=Yes
MANGLE_ENABLED=Yes
MANGLE_FORWARD=Yes
MARK_ANYWHERE=Yes
MARK=Yes
MASQUERADE_TGT=Yes
MULTIPORT=Yes
NAT_ENABLED=Yes
NETBIOS_NS_HELPER=Yes
NEW_CONNTRACK_MATCH=Yes
NEW_TOS_MATCH=Yes
NFACCT_MATCH=Yes
NFLOG_TARGET=Yes
NFQUEUE_TARGET=Yes
OLD_CONNTRACK_MATCH=
OLD_HL_MATCH=
OLD_IPP2P_MATCH=
OLD_IPSET_MATCH=
OWNER_MATCH=Yes
OWNER_NAME_MATCH=Yes
PERSISTENT_SNAT=Yes
PHYSDEV_BRIDGE=Yes
PHYSDEV_MATCH=Yes
POLICY_MATCH=Yes
PPTP_HELPER=Yes
RAWPOST_TABLE=
RAW_TABLE=Yes
REALM_MATCH=Yes
REAP_OPTION=Yes
RECENT_MATCH=Yes
RPFILTER_MATCH=Yes
SANE0_HELPER=
SANE_HELPER=Yes
SIP0_HELPER=
SIP_HELPER=Yes
SNMP_HELPER=Yes
STATISTIC_MATCH=Yes
TCPMSS_MATCH=Yes
TFTP0_HELPER=
TFTP_HELPER=Yes
TIME_MATCH=Yes
TPROXY_TARGET=Yes
UDPLITEREDIRECT=
ULOG_TARGET=Yes
USEPKTTYPE=Yes
XCONNMARK_MATCH=Yes
XCONNMARK=Yes
XMARK=Yes
XMULTIPORT=Yes
--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP Stopped Working

[Tom Eastep]

On 8/13/2014 9:05 AM, cac...@quantum-sci.com wrote:
 
 Tom Eastep wrote:
 On 8/13/2014 8:16 AM, cac...@quantum-sci.com wrote:
 Attached.

 Hmmm -- that's not good.

 Please forward:

 - the setting of HELPERS in shorewall.conf
 HELPERS=
 as from the factory.
 
 - the output of 'shorewall show -f capabilities'
 Attached.
 
 - the contents of /etc/shorewall/conntrack
 Don't got no conntrack.

You need one. There is a populated file included with Shorewall; which
distro are you running and how did you install Shorewall? Which
Shorewall version (command: shorewall version -a).

-Tom
-- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \



signature.asc
Description: OpenPGP digital signature
--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP Stopped Working

[CACook]

Tom Eastep wrote:
 You need one. There is a populated file included with Shorewall; which
 distro are you running and how did you install Shorewall? Which
 Shorewall version (command: shorewall version -a). -Tom
Ok I'cw installed the one fron /usr/share/shorewall:

?FORMAT 3
#ACTIONSOURCEDESTINATIONPROTODEST   
SOURCEUSER/SWITCH
#PORT(S)PORT(S)GROUP
?if $AUTOHELPERS  __CT_TARGET

?if __AMANDA_HELPER
CT:helper:amanda:PO--udp10080
?endif

?if __FTP_HELPER
CT:helper:ftp:PO--tcp21p.
?endif

?if __H323_HELPER
CT:helper:RAS:PO--udp1719
CT:helper:Q.931:PO--tcp1720
?endif

?if __IRC_HELPER
CT:helper:irc:PO--tcp6667
?endif

?if __NETBIOS_NS_HELPER
CT:helper:netbios-ns:PO--udp137
?endif

?if __PPTP_HELPER
CT:helper:pptp:PO--tcp1723
?endif

?if __SANE_HELPER
CT:helper:sane:PO--tcp6566
?endif

?if __SIP_HELPER
CT:helper:sip:PO--udp5060
?endif

?if __SNMP_HELPER
CT:helper:snmp:PO--udp161
?endif

?if __TFTP_HELPER
CT:helper:tftp:PO--udp69
?endif

?endif


Restarted Sw.  Still nothing on ftp














--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] FTP Stopped Working

[CACook]

For some reason my ftp no longer works. (Ubuntu Raring, kernel
3.14-1-amd64, Sw 4.6.1.2-1)

I can clearly see that Shorewall is blocking passive ftp attempts, but I
don't know what to do about it.  Connexion tracking doesn't seem to be
working.

I've gone through http://www.shorewall.net/FTP.html but I see nothing
I'm doing wrong.  I do have nf_conntrack_ftp and nf_nat_ftp loaded.  In
rules:
ACCEPT$FWnettcp...,ftp,ftps,...-

$ ftp 192.154.143.???
  
Connected to
192.154.143.???.
   

220-- Welcome to Pure-FTPd [privsep] [TLS]
--   
220-You are user number 8 of 50
allowed.
220-Local time is now 12:05. Server port:
21.   
220-This is a private system - No anonymous
login   
220-IPv6 connections are also welcome on this
server.   
220 You will be disconnected after 15 minutes of
inactivity.
Name (192.154.143.???:geo): delb
  
331 User delb OK. Password
required 
Password:
230 OK. Current restricted directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp debug
Debugging on (debug=1).
ftp passive
Passive mode on.
ftp ls
ftp: setsockopt (ignored): Permission denied
--- PASV
227 Entering Passive Mode (192,154,143,???,41,87)
ftp: connect: Connection refused
ftp ls
ftp: setsockopt (ignored): Permission denied
--- PASV
227 Entering Passive Mode (192,154,143,???,227,234)
ftp: connect: Connection refused
ftp passive
Passive mode off.
ftp ls
ftp: setsockopt (ignored): Permission denied
--- PORT 192,168,1,9,218,2
421 Timeout - try typing a little faster next time
ftp

huh?  That was instant.
--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP Stopped Working

[Tom Eastep]

On 8/12/2014 12:53 PM, cac...@quantum-sci.com wrote:
 
 For some reason my ftp no longer works. (Ubuntu Raring, kernel
 3.14-1-amd64, Sw 4.6.1.2-1)
 
 I can clearly see that Shorewall is blocking passive ftp attempts, but I
 don't know what to do about it.  Connexion tracking doesn't seem to be
 working.
 
 I've gone through http://www.shorewall.net/FTP.html but I see nothing
 I'm doing wrong.  I do have nf_conntrack_ftp and nf_nat_ftp loaded.  In
 rules:
 ACCEPT$FWnettcp...,ftp,ftps,...-

Connection tracking with ftps will never work.

Have you read and followed this part?

http://www.shorewall.org/FTP.html#idp8733609696

-Tom
-- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \



signature.asc
Description: OpenPGP digital signature
--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP Stopped Working

[CACook]

Tom Eastep wrote:
 On 8/12/2014 12:53 PM, cac...@quantum-sci.com wrote:
 For some reason my ftp no longer works. (Ubuntu Raring, kernel
 3.14-1-amd64, Sw 4.6.1.2-1)

 I can clearly see that Shorewall is blocking passive ftp attempts, but I
 don't know what to do about it.  Connexion tracking doesn't seem to be
 working.

 I've gone through http://www.shorewall.net/FTP.html but I see nothing
 I'm doing wrong.  I do have nf_conntrack_ftp and nf_nat_ftp loaded.  In
 rules:
 ACCEPT$FWnettcp...,ftp,ftps,...-
 Connection tracking with ftps will never work.

 Have you read and followed this part?

 http://www.shorewall.org/FTP.html#idp8733609696

As best I can.  All I can understand from that webpage is that I need in
rules, what I have stated.

This target ftp server does not have ssl, so I doubt that's an issue... 
I also removed ftps from rules and restarted shorewall and it made no
difference.





--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP Stopped Working

[Tom Eastep]

On 8/12/2014 6:30 PM, cac...@quantum-sci.com wrote:
 Tom Eastep wrote:
 On 8/12/2014 12:53 PM, cac...@quantum-sci.com wrote:
 For some reason my ftp no longer works. (Ubuntu Raring, kernel
 3.14-1-amd64, Sw 4.6.1.2-1)

 I can clearly see that Shorewall is blocking passive ftp attempts, but I
 don't know what to do about it.  Connexion tracking doesn't seem to be
 working.

 I've gone through http://www.shorewall.net/FTP.html but I see nothing
 I'm doing wrong.  I do have nf_conntrack_ftp and nf_nat_ftp loaded.  In
 rules:
 ACCEPT$FWnettcp...,ftp,ftps,...-
 Connection tracking with ftps will never work.

 Have you read and followed this part?

 http://www.shorewall.org/FTP.html#idp8733609696

 As best I can.  All I can understand from that webpage is that I need in
 rules, what I have stated.

So you felt that your setting of AUTOHELPERS was irrelevant because your
kernel is earlier that 3.5?

-Tom
-- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \



signature.asc
Description: OpenPGP digital signature
--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP Stopped Working

[CACook]

Tom Eastep wrote:
 On 8/12/2014 6:30 PM, cac...@quantum-sci.com wrote:
 Tom Eastep wrote:
 On 8/12/2014 12:53 PM, cac...@quantum-sci.com wrote:
 For some reason my ftp no longer works. (Ubuntu Raring, kernel
 3.14-1-amd64, Sw 4.6.1.2-1)

 I can clearly see that Shorewall is blocking passive ftp attempts, but I
 don't know what to do about it.  Connexion tracking doesn't seem to be
 working.

 I've gone through http://www.shorewall.net/FTP.html but I see nothing
 I'm doing wrong.  I do have nf_conntrack_ftp and nf_nat_ftp loaded.  In
 rules:
 ACCEPT$FWnettcp...,ftp,ftps,...-
 Connection tracking with ftps will never work.

 Have you read and followed this part?

 http://www.shorewall.org/FTP.html#idp8733609696

 As best I can.  All I can understand from that webpage is that I need in
 rules, what I have stated.
 So you felt that your setting of AUTOHELPERS was irrelevant because your
 kernel is earlier that 3.5?

 -Tom


I don't understand what you're saying.  That page says, By making
AUTOHELPERS=Yes the default, users can upgrade their systems to a 3.5+
kernel without disrupting the operation of their firewalls. 

My kernel is above 3.5.  It's 3.14-1.  It seems then that AUTOHELPERS
should be Yes.




--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP Stopped Working

[Tom Eastep]

On 8/12/2014 8:38 PM, cac...@quantum-sci.com wrote:
 
 Tom Eastep wrote:

 So you felt that your setting of AUTOHELPERS was irrelevant because your
 kernel is earlier that 3.5?
 
 I don't understand what you're saying.  That page says, By making
 AUTOHELPERS=Yes the default, users can upgrade their systems to a 3.5+
 kernel without disrupting the operation of their firewalls. 
 
 My kernel is above 3.5.  It's 3.14-1.  It seems then that AUTOHELPERS
 should be Yes.
 

You have confirmed that?

-Tom
-- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \



signature.asc
Description: OpenPGP digital signature
--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] ftp redirect problem

[valio]

  
  
I checked all docs and load right modules, but still not working ftp
redirection on my GW :(

"modprobe nf_conntrack_ftp ports=21,1212
modprobe nf_nat_ftp 
DNAT net loc:192.168.0.100:21 tcp 1212 -
DNAT net loc:192.168.0.100:20 tcp 20 -
DNAT net loc:192.168.0.100:6-62000 tcp
6:62000 -
"
What i miss ?
On 11/20/2013 7:46 PM, valio wrote:

  
  Thanks Tom,
  I checked this before write but .. i miss something.. 
  I will try back tomorrow :)
  
  P.S.
  FTP(DNAT)net   loc:192.168.1.5 tcp	1212	-	
It is correct for remapping 1212 port on my FW to 21 port on Ip behind my FW  ?

  
  On 11/20/2013 6:25 PM, Tom Eastep wrote:
  
On 11/20/2013 7:35 AM, valio wrote:


  Hi all
I have stupid problem with ftp redirection
When rule is without remapping port from 21 to 1212 ( or other) 
everything works fine
But when i use
DNATnetloc:192.168.52.10:21tcp1212-
i touch ftp but get error about passive mode...
I try to redirect ftp passive ports, but no success ...
I change my distro from Mandriva 2010.2 to Magea 3 ( new mandriva free 
distro) .
Version of my shorewall is 4.5.10.1
thanks for all


This point is discussed at http://www.shorewall.org/FTP.html#Ports

-Tom




--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk



___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

  
  
  
  
  
  --
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk
  
  
  
  ___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



  


--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] ftp redirect problem

[valio]

Hi all
I have stupid problem with ftp redirection
When rule is without remapping port from 21 to 1212 ( or other) 
everything works fine
But when i use
DNATnetloc:192.168.52.10:21tcp1212-
i touch ftp but get error about passive mode...
I try to redirect ftp passive ports, but no success ...
I change my distro from Mandriva 2010.2 to Magea 3 ( new mandriva free 
distro) .
Version of my shorewall is 4.5.10.1
thanks for all


--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] ftp redirect problem

[Tom Eastep]

On 11/20/2013 7:35 AM, valio wrote:
 Hi all
 I have stupid problem with ftp redirection
 When rule is without remapping port from 21 to 1212 ( or other) 
 everything works fine
 But when i use
 DNATnetloc:192.168.52.10:21tcp1212-
 i touch ftp but get error about passive mode...
 I try to redirect ftp passive ports, but no success ...
 I change my distro from Mandriva 2010.2 to Magea 3 ( new mandriva free 
 distro) .
 Version of my shorewall is 4.5.10.1
 thanks for all

This point is discussed at http://www.shorewall.org/FTP.html#Ports

-Tom
-- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \



signature.asc
Description: OpenPGP digital signature
--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] ftp redirect problem

[valio]

  
  
Thanks Tom,
I checked this before write but .. i miss something.. 
I will try back tomorrow :)

P.S.
FTP(DNAT)net   loc:192.168.1.5 tcp	1212	-	
It is correct for remapping 1212 port on my FW to 21 port on Ip behind my FW  ?


On 11/20/2013 6:25 PM, Tom Eastep wrote:

  On 11/20/2013 7:35 AM, valio wrote:

  
Hi all
I have stupid problem with ftp redirection
When rule is without remapping port from 21 to 1212 ( or other) 
everything works fine
But when i use
DNATnetloc:192.168.52.10:21tcp1212-
i touch ftp but get error about passive mode...
I try to redirect ftp passive ports, but no success ...
I change my distro from Mandriva 2010.2 to Magea 3 ( new mandriva free 
distro) .
Version of my shorewall is 4.5.10.1
thanks for all

  
  
This point is discussed at http://www.shorewall.org/FTP.html#Ports

-Tom

  
  
  
  --
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk
  
  
  
  ___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



  


--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] FTP active mode issue with server in dmz via proxarp

[Dario Lesca]

Hi, I have a web/ftp server into DMZ via proxy arp behind a shorewall
4.4.x firewall.

All work fine, also FTP in passive mode, but not in active mode.

I have a old hardware witch put some some time data binary files via ftp
on my server, sin that does not support passive mode (like ftp.exe of
winxp also do) and this is my problem.

On my network I have 3 Centos6.3 ftp server (2 for test only):
1) on firewall (for test only)
2) into LAN via nat (for test only)
3) into DMZ via proxyarp (real server)

In shorewall I have this 3 rules:
1) FTP(ACCEPT)  net fw:1.1.1.1
2) DNAT net loc:192.168.1.250 tcp ftp - 1.1.1.3
3) FTP(ACCEPT)  net dmz:1.1.1.2

Only the server 2 work fine in active and passive mode, only on server 2
my old external hardware work and load the data file via PUT and list
via DIR without timeout.

On server 1 (test server) and 3 (real destination server) the ftp
transfer data work only in passive mode (tested with ncftp.exe and
FileZilla on winXP and lftp on client Linux), in active mode (ftp.exe
winxp) the connection to server with account work, but the subsequent
PUT and DIR commands goto timeout

Someone have some suggest?

Many thanks

-- 
Dario Lesca - sip:da...@solinos.it
(Inviato dal mio Linux Fedora 17 Gnome3)


--
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP active mode issue with server in dmz via proxarp

[Tom Eastep]

On 01/11/2013 05:45 AM, Dario Lesca wrote:
 Hi, I have a web/ftp server into DMZ via proxy arp behind a shorewall
 4.4.x firewall.
 
 All work fine, also FTP in passive mode, but not in active mode.
 
 I have a old hardware witch put some some time data binary files via ftp
 on my server, sin that does not support passive mode (like ftp.exe of
 winxp also do) and this is my problem.
 
 On my network I have 3 Centos6.3 ftp server (2 for test only):
 1) on firewall (for test only)
 2) into LAN via nat (for test only)
 3) into DMZ via proxyarp (real server)
 
 In shorewall I have this 3 rules:
 1) FTP(ACCEPT)  net fw:1.1.1.1
 2) DNAT net loc:192.168.1.250 tcp ftp - 1.1.1.3
 3) FTP(ACCEPT)  net dmz:1.1.1.2
 
 Only the server 2 work fine in active and passive mode, only on server 2
 my old external hardware work and load the data file via PUT and list
 via DIR without timeout.
 
 On server 1 (test server) and 3 (real destination server) the ftp
 transfer data work only in passive mode (tested with ncftp.exe and
 FileZilla on winXP and lftp on client Linux), in active mode (ftp.exe
 winxp) the connection to server with account work, but the subsequent
 PUT and DIR commands goto timeout
 
 Someone have some suggest?

What do you see in the system log when transfer fails? Have you looked
at http://www.shorewall.net/FTP.html?

-Tom
-- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \



signature.asc
Description: OpenPGP digital signature
--
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP active mode issue with server in dmz via proxarp

[Dario Lesca]

Il giorno ven, 11/01/2013 alle 07.05 -0800, Tom Eastep ha scritto:
 On 01/11/2013 05:45 AM, Dario Lesca wrote:
  Hi, I have a web/ftp server into DMZ via proxy arp behind a shorewall
  4.4.x firewall.
  
  All work fine, also FTP in passive mode, but not in active mode.
  
  I have a old hardware witch put some some time data binary files via ftp
  on my server, sin that does not support passive mode (like ftp.exe of
  winxp also do) and this is my problem.
  
  On my network I have 3 Centos6.3 ftp server (2 for test only):
  1) on firewall (for test only)
  2) into LAN via nat (for test only)
  3) into DMZ via proxyarp (real server)
  
  In shorewall I have this 3 rules:
  1) FTP(ACCEPT)  net fw:1.1.1.1
  2) DNAT net loc:192.168.1.250 tcp ftp - 1.1.1.3
  3) FTP(ACCEPT)  net dmz:1.1.1.2
  
  Only the server 2 work fine in active and passive mode, only on server 2
  my old external hardware work and load the data file via PUT and list
  via DIR without timeout.
  
  On server 1 (test server) and 3 (real destination server) the ftp
  transfer data work only in passive mode (tested with ncftp.exe and
  FileZilla on winXP and lftp on client Linux), in active mode (ftp.exe
  winxp) the connection to server with account work, but the subsequent
  PUT and DIR commands goto timeout
  
  Someone have some suggest?
 
 What do you see in the system log when transfer fails? Have you looked
 at http://www.shorewall.net/FTP.html?
Yes, I have read this howto  but not help me.

Note witch the active connection work only to server NAT, and NOT work
whit server without NAT (local fw and proxyarp dmz)

In the firewall system log I see nothing.
This is the tcpdump of my transaction test script to my server in DMZ
proxyarp:

Script ftp (ftp.exe winxp)
 open my.host
 user
 pass
 dir
 quit

tcpdump output:
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
 16:43:22.419128 IP rem.host.61.90.1362  my.host.42.251.21: Flags [S], seq 
 987061752, win 64240, options [mss 1460,nop,nop,sackOK], length 0
 16:43:22.419519 IP my.host.42.251.21  rem.host.61.90.1362: Flags [S.], seq 
 2138978079, ack 987061753, win 14600, options [mss 1460,nop,nop,sackOK], 
 length 0
 16:43:22.451208 IP rem.host.61.90.1362  my.host.42.251.21: Flags [.], ack 1, 
 win 64240, length 0
 16:43:22.454465 IP my.host.42.251.21  rem.host.61.90.1362: Flags [P.], seq 
 1:321, ack 1, win 14600, length 320
 16:43:22.492989 IP rem.host.61.90.1362  my.host.42.251.21: Flags [P.], seq 
 1:18, ack 321, win 63920, length 17
 16:43:22.493290 IP my.host.42.251.21  rem.host.61.90.1362: Flags [.], ack 
 18, win 14600, length 0
 16:43:22.493491 IP my.host.42.251.21  rem.host.61.90.1362: Flags [P.], seq 
 321:364, ack 18, win 14600, length 43
 16:43:22.524427 IP rem.host.61.90.1362  my.host.42.251.21: Flags [P.], seq 
 18:33, ack 364, win 63877, length 15
 16:43:22.536785 IP my.host.42.251.21  rem.host.61.90.1362: Flags [P.], seq 
 364:407, ack 33, win 14600, length 43
 16:43:22.572189 IP rem.host.61.90.1362  my.host.42.251.21: Flags [P.], seq 
 33:57, ack 407, win 63834, length 24
 16:43:22.572674 IP my.host.42.251.21  rem.host.61.90.1362: Flags [P.], seq 
 407:436, ack 57, win 14600, length 29
 16:43:22.603948 IP rem.host.61.90.1362  my.host.42.251.21: Flags [P.], seq 
 57:63, ack 436, win 63805, length 6
 16:43:22.604273 IP my.host.42.242.20  rem.host.61.90.1363: Flags [S], seq 
 4047120893, win 14600, options [mss 1460,sackOK,TS val 153549838 ecr 
 0,nop,wscale 7], length 0
 16:43:22.644203 IP my.host.42.251.21  rem.host.61.90.1362: Flags [.], ack 
 63, win 14600, length 0
 16:43:23.604254 IP my.host.42.242.20  rem.host.61.90.1363: Flags [S], seq 
 4047120893, win 14600, options [mss 1460,sackOK,TS val 153550838 ecr 
 0,nop,wscale 7], length 0
 16:43:25.604288 IP my.host.42.242.20  rem.host.61.90.1363: Flags [S], seq 
 4047120893, win 14600, options [mss 1460,sackOK,TS val 153552838 ecr 
 0,nop,wscale 7], length 0
 16:43:29.604286 IP my.host.42.242.20  rem.host.61.90.1363: Flags [S], seq 
 4047120893, win 14600, options [mss 1460,sackOK,TS val 153556838 ecr 
 0,nop,wscale 7], length 0
 16:43:37.604409 IP my.host.42.242.20  rem.host.61.90.1363: Flags [S], seq 
 4047120893, win 14600, options [mss 1460,sackOK,TS val 153564838 ecr 
 0,nop,wscale 7], length 0
 16:43:53.604521 IP my.host.42.242.20  rem.host.61.90.1363: Flags [S], seq 
 4047120893, win 14600, options [mss 1460,sackOK,TS val 153580838 ecr 
 0,nop,wscale 7], length 0
 16:44:25.605097 IP my.host.42.251.21  rem.host.61.90.1362: Flags [P.], seq 
 436:507, ack 63, win 14600, length 71
 16:44:25.780286 IP rem.host.61.90.1362  my.host.42.251.21: Flags [.], ack 
 507, win 63734, length 0
 16:44:29.731707 IP rem.host.61.90.1362  my.host.42.251.21: Flags [P.], seq 
 63:69, ack 507, win 63734, length 6
 16:44:29.732083 IP my.host.42.251.21  rem.host.61.90.1362: Flags [.], ack 
 69, win 14600, length 0
 

Re: [Shorewall-users] FTP active mode issue with server in dmz via proxarp

[Tom Eastep]

On 01/11/2013 08:00 AM, Dario Lesca wrote:


 What do you see in the system log when transfer fails? Have you looked
 at http://www.shorewall.net/FTP.html?
 Yes, I have read this howto  but not help me.
 
 Note witch the active connection work only to server NAT, and NOT work
 whit server without NAT (local fw and proxyarp dmz)
 
 In the firewall system log I see nothing.
 This is the tcpdump of my transaction test script to my server in DMZ
 proxyarp:
 
 Script ftp (ftp.exe winxp)
 open my.host
 user
 pass
 dir
 quit

That would have been a lot more helpful if you would have turned on
debugging before entering the dir command (and yes -- ftp.exe does
support that command).

 
 tcpdump output:
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
 16:43:22.419128 IP rem.host.61.90.1362  my.host.42.251.21: Flags [S], seq 
 987061752, win 64240, options [mss 1460,nop,nop,sackOK], length 0
 16:43:22.419519 IP my.host.42.251.21  rem.host.61.90.1362: Flags [S.], seq 
 2138978079, ack 987061753, win 14600, options [mss 1460,nop,nop,sackOK], 
 length 0
 16:43:22.451208 IP rem.host.61.90.1362  my.host.42.251.21: Flags [.], ack 
 1, win 64240, length 0
 16:43:22.454465 IP my.host.42.251.21  rem.host.61.90.1362: Flags [P.], seq 
 1:321, ack 1, win 14600, length 320
 16:43:22.492989 IP rem.host.61.90.1362  my.host.42.251.21: Flags [P.], seq 
 1:18, ack 321, win 63920, length 17
 16:43:22.493290 IP my.host.42.251.21  rem.host.61.90.1362: Flags [.], ack 
 18, win 14600, length 0
 16:43:22.493491 IP my.host.42.251.21  rem.host.61.90.1362: Flags [P.], seq 
 321:364, ack 18, win 14600, length 43
 16:43:22.524427 IP rem.host.61.90.1362  my.host.42.251.21: Flags [P.], seq 
 18:33, ack 364, win 63877, length 15
 16:43:22.536785 IP my.host.42.251.21  rem.host.61.90.1362: Flags [P.], seq 
 364:407, ack 33, win 14600, length 43
 16:43:22.572189 IP rem.host.61.90.1362  my.host.42.251.21: Flags [P.], seq 
 33:57, ack 407, win 63834, length 24
 16:43:22.572674 IP my.host.42.251.21  rem.host.61.90.1362: Flags [P.], seq 
 407:436, ack 57, win 14600, length 29
 16:43:22.603948 IP rem.host.61.90.1362  my.host.42.251.21: Flags [P.], seq 
 57:63, ack 436, win 63805, length 6
 16:43:22.604273 IP my.host.42.242.20  rem.host.61.90.1363: Flags [S], seq 
 4047120893, win 14600, options [mss 1460,sackOK,TS val 153549838 ecr 
 0,nop,wscale 7], length 0
 16:43:22.644203 IP my.host.42.251.21  rem.host.61.90.1362: Flags [.], ack 
 63, win 14600, length 0
 16:43:23.604254 IP my.host.42.242.20  rem.host.61.90.1363: Flags [S], seq 
 4047120893, win 14600, options [mss 1460,sackOK,TS val 153550838 ecr 
 0,nop,wscale 7], length 0
 16:43:25.604288 IP my.host.42.242.20  rem.host.61.90.1363: Flags [S], seq 
 4047120893, win 14600, options [mss 1460,sackOK,TS val 153552838 ecr 
 0,nop,wscale 7], length 0
 16:43:29.604286 IP my.host.42.242.20  rem.host.61.90.1363: Flags [S], seq 
 4047120893, win 14600, options [mss 1460,sackOK,TS val 153556838 ecr 
 0,nop,wscale 7], length 0
 16:43:37.604409 IP my.host.42.242.20  rem.host.61.90.1363: Flags [S], seq 
 4047120893, win 14600, options [mss 1460,sackOK,TS val 153564838 ecr 
 0,nop,wscale 7], length 0
 16:43:53.604521 IP my.host.42.242.20  rem.host.61.90.1363: Flags [S], seq 
 4047120893, win 14600, options [mss 1460,sackOK,TS val 153580838 ecr 
 0,nop,wscale 7], length 0

This above are your FTP server's attempt to connect to port 1363 on the
remote host.

 
 In the system log of FTP server 3 I see a correct connection with user
 and password and nothing.  
 
 On the client (ftp.exe for test) I see this:
 ftp dir
 200 PORT command successful
 425 Could not open data connection to port 1353: Connection timed out

That isn't the same port that your server was trying to connect to.

 ftp
 NOTE: The port is always different.
 
 Thanks for help me.
 

If you send me the real IP address of your server, I'll take a look from
this end.

-Tom
-- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \



signature.asc
Description: OpenPGP digital signature
--
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP active mode issue with server in dmz via proxarp

[Tom Eastep]

On 01/11/2013 08:23 AM, Tom Eastep wrote:
 On 01/11/2013 08:00 AM, Dario Lesca wrote:
 

 What do you see in the system log when transfer fails? Have you looked
 at http://www.shorewall.net/FTP.html?
 Yes, I have read this howto  but not help me.

 Note witch the active connection work only to server NAT, and NOT work
 whit server without NAT (local fw and proxyarp dmz)

 In the firewall system log I see nothing.
 This is the tcpdump of my transaction test script to my server in DMZ
 proxyarp:

 Script ftp (ftp.exe winxp)
 open my.host
 user
 pass
 dir
 quit
 
 That would have been a lot more helpful if you would have turned on
 debugging before entering the dir command (and yes -- ftp.exe does
 support that command).
 

 tcpdump output:
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
 16:43:22.419128 IP rem.host.61.90.1362  my.host.42.251.21: Flags [S], seq 
 987061752, win 64240, options [mss 1460,nop,nop,sackOK], length 0
 16:43:22.419519 IP my.host.42.251.21  rem.host.61.90.1362: Flags [S.], seq 
 2138978079, ack 987061753, win 14600, options [mss 1460,nop,nop,sackOK], 
 length 0
 16:43:22.451208 IP rem.host.61.90.1362  my.host.42.251.21: Flags [.], ack 
 1, win 64240, length 0
 16:43:22.454465 IP my.host.42.251.21  rem.host.61.90.1362: Flags [P.], seq 
 1:321, ack 1, win 14600, length 320
 16:43:22.492989 IP rem.host.61.90.1362  my.host.42.251.21: Flags [P.], seq 
 1:18, ack 321, win 63920, length 17
 16:43:22.493290 IP my.host.42.251.21  rem.host.61.90.1362: Flags [.], ack 
 18, win 14600, length 0
 16:43:22.493491 IP my.host.42.251.21  rem.host.61.90.1362: Flags [P.], seq 
 321:364, ack 18, win 14600, length 43
 16:43:22.524427 IP rem.host.61.90.1362  my.host.42.251.21: Flags [P.], seq 
 18:33, ack 364, win 63877, length 15
 16:43:22.536785 IP my.host.42.251.21  rem.host.61.90.1362: Flags [P.], seq 
 364:407, ack 33, win 14600, length 43
 16:43:22.572189 IP rem.host.61.90.1362  my.host.42.251.21: Flags [P.], seq 
 33:57, ack 407, win 63834, length 24
 16:43:22.572674 IP my.host.42.251.21  rem.host.61.90.1362: Flags [P.], seq 
 407:436, ack 57, win 14600, length 29
 16:43:22.603948 IP rem.host.61.90.1362  my.host.42.251.21: Flags [P.], seq 
 57:63, ack 436, win 63805, length 6
 16:43:22.604273 IP my.host.42.242.20  rem.host.61.90.1363: Flags [S], seq 
 4047120893, win 14600, options [mss 1460,sackOK,TS val 153549838 ecr 
 0,nop,wscale 7], length 0
 16:43:22.644203 IP my.host.42.251.21  rem.host.61.90.1362: Flags [.], ack 
 63, win 14600, length 0
 16:43:23.604254 IP my.host.42.242.20  rem.host.61.90.1363: Flags [S], seq 
 4047120893, win 14600, options [mss 1460,sackOK,TS val 153550838 ecr 
 0,nop,wscale 7], length 0
 16:43:25.604288 IP my.host.42.242.20  rem.host.61.90.1363: Flags [S], seq 
 4047120893, win 14600, options [mss 1460,sackOK,TS val 153552838 ecr 
 0,nop,wscale 7], length 0
 16:43:29.604286 IP my.host.42.242.20  rem.host.61.90.1363: Flags [S], seq 
 4047120893, win 14600, options [mss 1460,sackOK,TS val 153556838 ecr 
 0,nop,wscale 7], length 0
 16:43:37.604409 IP my.host.42.242.20  rem.host.61.90.1363: Flags [S], seq 
 4047120893, win 14600, options [mss 1460,sackOK,TS val 153564838 ecr 
 0,nop,wscale 7], length 0
 16:43:53.604521 IP my.host.42.242.20  rem.host.61.90.1363: Flags [S], seq 
 4047120893, win 14600, options [mss 1460,sackOK,TS val 153580838 ecr 
 0,nop,wscale 7], length 0

Ah -- I see the real problem here. Your firewall is MASQUERADING
outgoing connections from the server.

Note that the incoming connection on port 21 is addressed to
my.host.42.251 but the outgoing connection is from my.host.42.242!

Fix your /etc/shorewall/masq file so that it doesn't masquerade those
outgoing connections.

-Tom
-- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \



signature.asc
Description: OpenPGP digital signature
--
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP active mode issue with server in dmz via proxarp

[Dario Lesca]

Il giorno ven, 11/01/2013 alle 08.23 -0800, Tom Eastep ha scritto:
 If you send me the real IP address of your server, I'll take a look
 from this end

I have send you IP and test account, and some other output.

Let me know

Thanks
 . 
-- 
Dario Lesca - sip:da...@solinos.it
(Inviato dal mio Linux Fedora 17 Gnome3)


--
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP active mode issue with server in dmz via proxarp

[Tom Eastep]

On 01/11/2013 08:46 AM, Dario Lesca wrote:
 Il giorno ven, 11/01/2013 alle 08.23 -0800, Tom Eastep ha scritto:
 If you send me the real IP address of your server, I'll take a look
 from this end
 
 I have send you IP and test account, and some other output.
 
 Let me know

Check the list mail -- I have already sent you the solution.

-Tom
-- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \



signature.asc
Description: OpenPGP digital signature
--
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] ftp on Port 8021

[Gerhard Engler]

Hallo,

I want to run zope on my dmz. Zope has a ftp-server on Port 8021. Now I 
want to connect from loc to ftp on dmz. But I get no connect.

In my /var/log/syslog I see:
...
Jan 19 23:31:20 micky kernel: Shorewall:loc2dmz:REJECT:IN=eth0 OUT=eth2 
SRC=192.168.1.2 DST=192.168.3.203 LEN=64 TOS=0x00 PREC=0x00 TTL=127 
ID=4029 DF PROTO=TCP SPT=1489 DPT=41616 WINDOW=65535 RES=0x00 SYN U
RGP=0
Jan 19 23:31:20 micky kernel: Shorewall:loc2dmz:REJECT:IN=eth0 OUT=eth2 
SRC=192.168.1.2 DST=192.168.3.203 LEN=64 TOS=0x00 PREC=0x00 TTL=127 
ID=4036 DF PROTO=TCP SPT=1489 DPT=41616 WINDOW=65535 RES=0x00 SYN U
RGP=0
Jan 19 23:31:21 micky kernel: Shorewall:loc2dmz:REJECT:IN=eth0 OUT=eth2 
SRC=192.168.1.2 DST=192.168.3.203 LEN=64 TOS=0x00 PREC=0x00 TTL=127 
ID=4039 DF PROTO=TCP SPT=1489 DPT=41616 WINDOW=65535 RES=0x00 SYN U
RGP=0
Jan 19 23:31:46 micky kernel: Shorewall:loc2dmz:REJECT:IN=eth0 OUT=eth2 
SRC=192.168.1.2 DST=192.168.3.203 LEN=64 TOS=0x00 PREC=0x00 TTL=127 
ID=4673 DF PROTO=TCP SPT=1492 DPT=56550 WINDOW=65535 RES=0x00 SYN U
RGP=0
Jan 19 23:31:46 micky kernel: Shorewall:loc2dmz:REJECT:IN=eth0 OUT=eth2 
SRC=192.168.1.2 DST=192.168.3.203 LEN=64 TOS=0x00 PREC=0x00 TTL=127 
ID=4678 DF PROTO=TCP SPT=1492 DPT=56550 WINDOW=65535 RES=0x00 SYN U
RGP=0
Jan 19 23:31:47 micky kernel: Shorewall:loc2dmz:REJECT:IN=eth0 OUT=eth2 
SRC=192.168.1.2 DST=192.168.3.203 LEN=64 TOS=0x00 PREC=0x00 TTL=127 
ID=4679 DF PROTO=TCP SPT=1492 DPT=56550 WINDOW=65535 RES=0x00 SYN U
RGP=0
...

In my /etc/shorewall/rules I configured:

ACCEPT  loc dmz   tcp   8021

What is necesary to connect to ftp-zope on Port 8021?

Thank you!


tony

--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] ftp on Port 8021

[Shorewall Geek]

Shorewall Geek wrote:
 Gerhard Engler wrote:
 
 What is necesary to connect to ftp-zope on Port 8021?
 
 Shorewall FAQ 29 (http://www.shorewall.net/FAQ.htm#faq29) is about FTP 
 not workiing. That FAQ contains a link to 
 (http://www.shorewall.net/FTP.html) which contains a section entitled 
 FTP on Non-standard Ports.

The article fails to mention that you create /etc/shorewall/modules by 
copying /usr/share/shorewall/modules.

--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] FTP--Port Knocking--Shorewall-PERL

[Scott Ruckh]

I am using shorewall version 4.2.4 (the invoca RPMs).

I get this warning when starting shorewall:

WARNING: Destination zone (loc) ignored : /usr/share/shorewall/macro.FTP (line
11)

macro.FTP looks like the base version that ships with shorewall:

#ACTION SOURCE  DESTPROTO   DESTSOURCE  RATEUSER/
#   PORT(S) PORT(S) LIMIT   GROUP
PARAM   -   -   tcp 21
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

My FTP rules are:

#   forward FTP traffic to the FTP server
FTP/DNAT-   inetloc:a.b.c.d

#   slow down Brute Force attacks.  Limit the number
#   of connections per minute that can occur.
Limit:ULOG:FTPBFA,4,120 inetloc:a.b.c.d  tcp 21  -
  $ETH2_IP

;where a.b.c.d is the IP address of FTP server behind the firewall.

I believe this probably broke when switching to Shorewall-PERL, although I am
not positive.

I can not remember where the FTPBFA (FTP Brute Force Attack) script lives. 
Tom helped me create the script originally, but I can not remember where this
code lives.

I grep'd for the string FTPBA in both the /usr/share/shorewall and
/etc/shorewal directories and did not come up with anything.

I basically want to use port-knocking to limit Bruce Force Attacks.  I believe
in the past my rule blocked users if they tried to login 4 separate times
within a minute and kept attacker locked out for 2 hours (i can not remember
for sure).

Basically I would like to implement a similar policy with Shorewall-PERL.

I have vied the pages http://www.shorewall.net/FTP.html and
http://www.shorewall.net/PortKnocking.html, but I am not able to deduce what I
need to do in-order to get this rule working again.

Thank You for your help.

-- 




--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] FTP and etc.

[PETER EASTHOPE]

Folk,

My configurations are here.
http://carnot.yi.org/DebianPage.html#Network;

status.txt from an FTP attempt is here.
http://carnot.yi.org/status.txt

Very small files can be transmitted by FTP 
from Heaviside in loc to a server in net.  
Larger files are not transmitted.  

Similarly, short messages can be sent from 
Heaviside to a server using SMTP and larger 
messages, such as this, are not accepted.
(This message is sent from Joule using Web 
access to the mail server.)

I've read http://www.shorewall.net/FTP.html  
and googled unsuccessfully for discussion of 
similar symptoms. 

Any insights, hints or tips will be appreciated,

Thanks,  ... Peter E.


-- 
http://members.shaw.ca/peasthope/
http://carnot.yi.org/ = http://carnot.pathology.ubc.ca/



-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP and etc.

[Tom Eastep]

PETER EASTHOPE wrote:



Any insights, hints or tips will be appreciated,



Try setting CLAMPMSS=Yes in shorewall.conf.

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



signature.asc
Description: OpenPGP digital signature
-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] ftp masq

[Wilson A. Galafassi Jr.]

Hello to all.
I´m running shorewall 4.0
I have my Server with this configuration:

Wan: eth0: 10.1.1.254 - connected to adsl router (dynamic ip)
Lan: eth1: 192.168.1.254 - local network

I have a FTP Server in the 192.168.1.253 on port 21.

In /etc/shorewall/rules:
DNATnet loc:192.168.1.253 tcp 21

/etc/shorewall/masq:
eth0eth1

IF i use Firefox of flashfxp client i can Access the FTP Server ok with no
problems.

But if i use internet Explorer i can´t see the directory listing and i have
timeout error. This only occour when i try to access from outside of my
network.

I use a no-ip host to update the dynamic ip.

My question is: i have to change others configurations in shorewall to this
works fine in internet Explorer?

Thanks,

Wilson



-
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] ftp masq

[Tom Eastep]

Wilson A. Galafassi Jr. wrote:



My question is: i have to change others configurations in shorewall to this
works fine in internet Explorer?



No.

I suspect that IE is using passive mode by default and that something is 
going wrong with the double-NAT that you are doing in the router and in the 
Shorewall box (why are you doing that?).


Use a command-line FTP client with debugging enabled to see what is 
happening (see http://www.shorewall.net/FTP.html).


-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



signature.asc
Description: OpenPGP digital signature
-
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] FTP DNAT not working - Server sent passive reply with unroutable address

[Martin Leben]

Hi all!

I am a long time lurker, but have not posted until now.

My old trusted firewall machine broke a couple of weeks ago and I replaced it 
with a XEN domU that is using DNAT and has two interfaces. The firewall domU and 
the FTP server domU are both guests on the same dom0. All three machines are 
running Debian/etch (stable) and Shorewall has version 3.2.6.


I can't get FTP to work and Filezilla says:

 Response: 227 Entering Passive Mode (192,168,221,239,19)
 Status: Server sent passive reply with unroutable address. Using
 server address instead.

I cannot understand why the FTP servers private address is leaked since the 
modules ip_nat_ftp and ip_conntrack_ftp are loaded. The FTP rule is FTP/DNAT 
net loc:192.168.221.3.


In the attached status file I have connected from 213.115.101.134 to 
87.96.134.74. Can any of you see what is wrong?


Thank you in advance.

/Martin Leben

Ps/ DNAT:ting http, imap and other simple traffic works. /Ds
Ps2/ My apologies if this mail hits the list twice. I sent the first one before 
subscribing. (Reading through http://gmane.org) /Ds2


status.txt.gz
Description: application/gzip
-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP DNAT not working - Server sent passive reply with unroutable address

[Andrew Suffield]

On Sun, Mar 30, 2008 at 11:57:41PM +0200, Martin Leben wrote:
  Response: 227 Entering Passive Mode (192,168,221,239,19)
  Status: Server sent passive reply with unroutable address. Using
  server address instead.

 I cannot understand why the FTP servers private address is leaked since 
 the modules ip_nat_ftp and ip_conntrack_ftp are loaded. The FTP rule is 
 FTP/DNAT net loc:192.168.221.3.

Because the address sent by the FTP server is 192.168.221.239, not
192.168.221.3

I don't think you're looking in the right place.

-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP DNAT not working - Server sent passive reply with unroutable address

[Martin Leben]

Andrew Suffield wrote:
 On Sun, Mar 30, 2008 at 11:57:41PM +0200, Martin Leben wrote:
  Response: 227 Entering Passive Mode (192,168,221,239,19)
  Status: Server sent passive reply with unroutable address. Using
  server address instead.

 I cannot understand why the FTP servers private address is leaked since 
 the modules ip_nat_ftp and ip_conntrack_ftp are loaded. The FTP rule is 
 FTP/DNAT net loc:192.168.221.3.
 
 Because the address sent by the FTP server is 192.168.221.239, not
 192.168.221.3
 
 I don't think you're looking in the right place.

Hmm... My fingers must have slipped when typing (No, I didn't copy/paste that 
one...) the Filezilla response. Just tested again and it says Response: 227 
Entering Passive Mode (192,168,221,3,76,244) this time. Yes, that is six 
blocks 
of comma separated numbers.

So, my question still stands.

/Martin Leben


-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP DNAT not working - Server sent passive reply with unroutable address

[Tom Eastep]

Martin Leben wrote:
 
 So, my question still stands.
 

I've just spoken on #shorewall with another user who is running the same
setup as you are (including identical kernel version), and who is having
exactly same problem!

So I think we have a smoking gun...

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP DNAT not working - Server sent passive reply with unroutable address

[Alexander Wilms]

Hi Martin,

this reminds me of a FTP conntrack problem I had with Xen a while ago.
It's related to the common Xen checksum offload problem.
First FTP port packet has incorrect checksum and is dropped. Then the resent 
packet is ignored by the ftp_conntrack module and doesn't get masq'ed. E 
voila, you have your internal address in the port command.

Diagnosis: run tcpdump -vv (or even better wireshark) on the involved 
interfaces and you'll see a lot of invalid checksums

Solution: disable tx-checksumming on ALL interfaces (ethtool -K device tx 
off). I disable it on all Interfaces, because I saw so many different 
problems with that in all kind of Xen setups that I gave up to find out a 
logic behind that error.

Let me know if it helps.

Alex




On Sonntag 30 März 2008, Martin Leben wrote:
 Hi all!

 I am a long time lurker, but have not posted until now.

 My old trusted firewall machine broke a couple of weeks ago and I replaced
 it with a XEN domU that is using DNAT and has two interfaces. The firewall
 domU and the FTP server domU are both guests on the same dom0. All three
 machines are running Debian/etch (stable) and Shorewall has version 3.2.6.

 I can't get FTP to work and Filezilla says:

   Response: 227 Entering Passive Mode (192,168,221,239,19)
   Status: Server sent passive reply with unroutable address. Using
   server address instead.

 I cannot understand why the FTP servers private address is leaked since the
 modules ip_nat_ftp and ip_conntrack_ftp are loaded. The FTP rule is
 FTP/DNAT net loc:192.168.221.3.

 In the attached status file I have connected from 213.115.101.134 to
 87.96.134.74. Can any of you see what is wrong?

 Thank you in advance.

 /Martin Leben

 Ps/ DNAT:ting http, imap and other simple traffic works. /Ds
 Ps2/ My apologies if this mail hits the list twice. I sent the first one
 before subscribing. (Reading through http://gmane.org) /Ds2



-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP not working behind Ubuntu+Shorewall

[Jerry Vonau]

Ziga Milek wrote:
 I have a PC router that runs Ubuntu Server 7.04 (kernel version
 2.6.20-15-server) and Shorewall (latest version) as a firewall. On one of
 computers connected to it I run a FTP server. the problem is i cannot
 connect to it from outside. The ftp server is set up using serv-u. the port
 used for ftp is 50005 and the ip of that computer is 192.168.0.3. i can
 however connect to it from another computer on LAN. here are my rules:
 
   #ACTION SOURCE  DESTPROTO   DESTSOURCE
 ORIGINAL  RATEUSER/
   #   PORT(S) PORT(S)
 DEST  LIMIT   GROUP
   #SECTION ESTABLISHED
   #SECTION RELATED
   SECTION NEW
   SSH/ACCEPT  all $FW
   Webmin/ACCEPT   all $FW
   DNS/ACCEPT  loc fw
   Ping/ACCEPT loc all
   Ping/REJECT:infoall $FW
   Ping/ACCEPT $FW all
   DNATnet loc:192.168.0.3 tcp 5:50005
   DNATnet loc:192.168.0.3 udp 5:50005
   NTP/ACCEPT  all all
 
 ports 5-50004 are used for torrents, ed2k and a couple of other things,
 which work fine. what am i missing here? modules nf_nat_ftp and
 nf_conntrack_ftp are loaded. I've been dealing with this for a couple of
 months now and i don't know what else to try. Please help me!
 
 Ziga
 
Have a look the non-standard ports section of
http://www.shorewall.net/FTP.html

Jerry

-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now   http://get.splunk.com/
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP not working behind Ubuntu+Shorewall

[Ziga Milek]

As a matter of fact i thought of the unusual port choice causing the problem
and  switched the ftp port back to 21 and added 'FTP/DNAT all
loc:192.168.0.3' rule and the problem persists. Any other idea?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry
Vonau
Sent: Thursday, September 06, 2007 12:31 PM
To: Shorewall Users
Subject: Re: [Shorewall-users] FTP not working behind Ubuntu+Shorewall

Ziga Milek wrote:
 I have a PC router that runs Ubuntu Server 7.04 (kernel version
 2.6.20-15-server) and Shorewall (latest version) as a firewall. On one of
 computers connected to it I run a FTP server. the problem is i cannot
 connect to it from outside. The ftp server is set up using serv-u. the
port
 used for ftp is 50005 and the ip of that computer is 192.168.0.3. i can
 however connect to it from another computer on LAN. here are my rules:
 
   #ACTION SOURCE  DESTPROTO   DESTSOURCE
 ORIGINAL  RATEUSER/
   #   PORT(S) PORT(S)
 DEST  LIMIT   GROUP
   #SECTION ESTABLISHED
   #SECTION RELATED
   SECTION NEW
   SSH/ACCEPT  all $FW
   Webmin/ACCEPT   all $FW
   DNS/ACCEPT  loc fw
   Ping/ACCEPT loc all
   Ping/REJECT:infoall $FW
   Ping/ACCEPT $FW all
   DNATnet loc:192.168.0.3 tcp 5:50005
   DNATnet loc:192.168.0.3 udp 5:50005
   NTP/ACCEPT  all all
 
 ports 5-50004 are used for torrents, ed2k and a couple of other
things,
 which work fine. what am i missing here? modules nf_nat_ftp and
 nf_conntrack_ftp are loaded. I've been dealing with this for a couple of
 months now and i don't know what else to try. Please help me!
 
 Ziga
 
Have a look the non-standard ports section of
http://www.shorewall.net/FTP.html

Jerry

-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now   http://get.splunk.com/
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now   http://get.splunk.com/
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP not working behind Ubuntu+Shorewall

[DI Roman Fiedler]

Ziga Milek wrote:
 As a matter of fact i thought of the unusual port choice causing the problem
 and  switched the ftp port back to 21 and added 'FTP/DNAT all
 loc:192.168.0.3' rule and the problem persists. Any other idea?
   

After shorewall start do an iptables-save  file
and look if rules are correct (text search for DNAT). 
Also ACCEPT rule has to be in file for the ports 5-


Perhaps add the your external IP to the source field in the DNAT entry

DNATnet loc:192.168.0.3 tcp 5:50005 [your net ip]


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Jerry
 Vonau
 Sent: Thursday, September 06, 2007 12:31 PM
 To: Shorewall Users
 Subject: Re: [Shorewall-users] FTP not working behind Ubuntu+Shorewall

 Ziga Milek wrote:
   
 I have a PC router that runs Ubuntu Server 7.04 (kernel version
 2.6.20-15-server) and Shorewall (latest version) as a firewall. On one of
 computers connected to it I run a FTP server. the problem is i cannot
 connect to it from outside. The ftp server is set up using serv-u. the
 
 port
   
 used for ftp is 50005 and the ip of that computer is 192.168.0.3. i can
 however connect to it from another computer on LAN. here are my rules:

  #ACTION SOURCE  DESTPROTO   DESTSOURCE
 ORIGINAL RATEUSER/
  #   PORT(S) PORT(S)
 DEST LIMIT   GROUP
  #SECTION ESTABLISHED
  #SECTION RELATED
  SECTION NEW
  SSH/ACCEPT  all $FW
  Webmin/ACCEPT   all $FW
  DNS/ACCEPT  loc fw
  Ping/ACCEPT loc all
  Ping/REJECT:infoall $FW
  Ping/ACCEPT $FW all
  DNATnet loc:192.168.0.3 tcp 5:50005
  DNATnet loc:192.168.0.3 udp 5:50005
  NTP/ACCEPT  all all

 ports 5-50004 are used for torrents, ed2k and a couple of other
 
 things,
   
 which work fine. what am i missing here? modules nf_nat_ftp and
 nf_conntrack_ftp are loaded. I've been dealing with this for a couple of
 months now and i don't know what else to try. Please help me!

 Ziga

 
 Have a look the non-standard ports section of
 http://www.shorewall.net/FTP.html

 Jerry

   



-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now   http://get.splunk.com/
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP not working behind Ubuntu+Shorewall

[Tom Eastep]

Ziga Milek wrote:
 As a matter of fact i thought of the unusual port choice causing the problem
 and  switched the ftp port back to 21 and added 'FTP/DNAT all
 loc:192.168.0.3' rule and the problem persists. Any other idea?

Have you consulted http://www.shorewall.net/FTP.html ?

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



signature.asc
Description: OpenPGP digital signature
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now   http://get.splunk.com/___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP not working behind Ubuntu+Shorewall

[Tom Eastep]

Ziga Milek wrote:
 When i try to connect to it using flashfxp it says:
 
 [22:16:11] WinSock 2.0 -- OpenSSL 0.9.7g 11 Apr 2005
 [22:16:17] [R] Connecting to cauchy.homeip.net - DNS=cauchy.homeip.net
 IP=89.212.9.43 PORT=21
 [22:16:18] [R] Connection failed (Connection refused)
 [22:16:18] [R] Delaying for 120 seconds before reconnect attempt #1
 
 I don't think it's the dnat causing the problem because torrents and ed2k
 and some other things work fine (on ports 5-50004). And also if i use
 utorrent port checker on port 21
 (http://www.utorrent.com/testport.php?port=21) it says that it's open and
 accepting connections. It has to be something speceific to ftp.

At the risk of repeating myself, you need to follow the DNAT
troubleshooting tips in Shorewall FAQs 1a and 1b.

 Here is the complete output of iptables-save if it helps:

I don't think this has anything to do with iptables/netfilter/Shorewall.

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



signature.asc
Description: OpenPGP digital signature
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now   http://get.splunk.com/___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP not working behind Ubuntu+Shorewall

[Tom Eastep]

Tom Eastep wrote:
 Ziga Milek wrote:
 When i try to connect to it using flashfxp it says:

 [22:16:11] WinSock 2.0 -- OpenSSL 0.9.7g 11 Apr 2005
 [22:16:17] [R] Connecting to cauchy.homeip.net - DNS=cauchy.homeip.net
 IP=89.212.9.43 PORT=21
 [22:16:18] [R] Connection failed (Connection refused)
 [22:16:18] [R] Delaying for 120 seconds before reconnect attempt #1

 I don't think it's the dnat causing the problem because torrents and ed2k
 and some other things work fine (on ports 5-50004). And also if i use
 utorrent port checker on port 21
 (http://www.utorrent.com/testport.php?port=21) it says that it's open and
 accepting connections. It has to be something speceific to ftp.
 
 At the risk of repeating myself, you need to follow the DNAT
 troubleshooting tips in Shorewall FAQs 1a and 1b.

And please use a simple line mode FTP client so you know which
connection is failing.

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



signature.asc
Description: OpenPGP digital signature
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now   http://get.splunk.com/___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP not working behind Ubuntu+Shorewall

[Jerry Vonau]

Ziga Milek wrote:
 When i try to connect to it using flashfxp it says:
 
 [22:16:11] WinSock 2.0 -- OpenSSL 0.9.7g 11 Apr 2005
 [22:16:17] [R] Connecting to cauchy.homeip.net - DNS=cauchy.homeip.net
 IP=89.212.9.43 PORT=21
 [22:16:18] [R] Connection failed (Connection refused)
 [22:16:18] [R] Delaying for 120 seconds before reconnect attempt #1
 
 I don't think it's the dnat causing the problem because torrents and ed2k
 and some other things work fine (on ports 5-50004). And also if i use
 utorrent port checker on port 21
 (http://www.utorrent.com/testport.php?port=21) it says that it's open and
 accepting connections. It has to be something speceific to ftp. Here is the
 complete output of iptables-save if it helps:
 
snip
 -A net_dnat -p tcp -m tcp --dport 5:50010 -j DNAT --to-destination
 192.168.0.3 
 -A net_dnat -p udp -m udp --dport 5:50010 -j DNAT --to-destination
 192.168.0.3 
 -A net_dnat -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.3 

Where are you testing from? If your using a machine that is on your
local lan, that will never work unless you state the original
destination in your DNAT rule, like what was posted earlier for you
and follow the rest of FAQ 2.

From here I get a connection:

[EMAIL PROTECTED] jerry]#ftp cauchy.homeip.net
Connected to cauchy.homeip.net (89.212.9.43).
220 Serv-U FTP Server v6.3 for WinSock ready...
Name (cauchy.homeip.net:jerry):

The other problem is that the ftp server is bannering the wrong ip
address/name, that will break the netfilter helper modules if you do
that. You should not set that to what your public ip address/dns name
is.  This issue is mentioned in the FTP page.

Jerry



-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now   http://get.splunk.com/
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP/DNAT Issue

[Jon]

They're one and the same. There's only one box and it runs both Shorewall and 
the FTP server. Problem is that no one (internally or externally) can get at 
the FTP server with Shorewall running.

I didn't explain this very well, didi I?

J

Sent from the road...
+1.403.770.2837
-Original Message-
From: Tom Eastep [EMAIL PROTECTED]
Date: Saturday, Dec 16, 2006 4:48 pm
Subject: Re: [Shorewall-users] FTP/DNAT Issue

Jon wrote:
 Hi Tom

 Thanks for replying - especially given your current state of internet 
 connectivity.

 Maybe I'm misunderstanding the DNAT thing. I thought it would be required to 
 translate from the external nic to the  internal but even as I write this I 
 can see how little sense that makes.

 I guess what I need to to simply allow TCP 21 connections from both the net 
 and loc zones. Can't believe that I can't figure it out but I inherited 
 these boxes and we all probably know it's impossible to get up to speed fast 
 enough.
   

Be sure that it is actually the internal server that you are connecting to 
when you shorewall clear and not an FTP server running on the
Shorewall box itself.

-Tom

- Take 
Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your 
opinions on IT  business topics through brief surveys - and earn cash 
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP/DNAT Issue

[Tom Eastep]

Jon me at jonwatson.ca writes:

 
 They're one and the same. There's only one box and it runs both Shorewall and
the FTP server. Problem is that
 no one (internally or externally) can get at the FTP server with Shorewall
running.
 
 I didn't explain this very well, didi I?

No. And I don't understand how you concluded that you fall into example
3. What you need is:

FTP/ACCEPT   net$FW
FTP/ACCEPT   loc $FW (assuming that you have a local interface).

-Tom




-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP/DNAT Issue

[John Andersen]

On Saturday 16 December 2006 15:06, Jon wrote:
 They're one and the same. There's only one box and it runs both Shorewall
 and the FTP server. Problem is that no one (internally or externally) can
 get at the FTP server with Shorewall running.

 I didn't explain this very well, didi I?
 
You don't want a dnat rule then, you just want an
ACCEPT rule.

-- 
John Andersen - NORCOM
http://www.norcomsoftware.com/

-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP/DNAT Issue

[Jon]

Because I was confused about DNAT. 

So...knowing what I know now...amd I looking at a net to fw rule to do what I 
need? I'm not sure how to refer to the box itself.

Thanks for the help!

J


Sent from the road...
+1.403.770.2837
-Original Message-
From: Tom Eastep [EMAIL PROTECTED]
Date: Saturday, Dec 16, 2006 7:21 pm
Subject: Re: [Shorewall-users] FTP/DNAT Issue

Jon me at jonwatson.ca writes:

 
 They're one and the same. There's only one box and it runs both Shorewall and 
 the FTP server. Problem is that
 no one (internally or externally) can get at the FTP server with Shorewall 
 running.
 
 I didn't explain this very well, didi I?

No. And I don't understand how you concluded that you fall into example
3. What you need is:

FTP/ACCEPT   net$FW
FTP/ACCEPT   loc $FW (assuming that you have a local interface).

-Tom




- Take 
Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your 
opinions on IT  business topics through brief surveys - and earn cash 
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP/DNAT Issue

[Jon]

Thanks. I feel kind of lame for not realizing what I was asking but sometimes 
you're just too close to the thing.

Thanks!

J

Sent from the road...
+1.403.770.2837
-Original Message-
From: John Andersen [EMAIL PROTECTED]
Date: Saturday, Dec 16, 2006 7:26 pm
Subject: Re: [Shorewall-users] FTP/DNAT Issue

On Saturday 16 December 2006 15:06, Jon wrote:
 They're one and the same. There's only one box and it runs both Shorewall
 and the FTP server. Problem is that no one (internally or externally) can
 get at the FTP server with Shorewall running.

 I didn't explain this very well, didi I?
 
You don't want a dnat rule then, you just want an
ACCEPT rule.

-- 
John Andersen - NORCOM
http://www.norcomsoftware.com/

- Take 
Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your 
opinions on IT  business topics through brief surveys - and earn cash 
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP/DNAT Issue

[Tom Eastep]

Jon me at jonwatson.ca writes:

 
 Because I was confused about DNAT. 
 
 So...knowing what I know now...amd I looking at a net to fw rule to do what I
need? I'm not sure how to refer to
 the box itself.

Then maybe you should consult the Shorewall introductory documentation.

-Tom



-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] FTP/DNAT Issue

[Jon]

Well that certainly sets the tone. 

I'm happy to see that our decision to discontinue Shorewall in future builds 
wasn't in error.  I think I've been quite civil even to the point of being 
apologetic. You are being just plain rude, Tom.

I believe the level of detail in my original post, although incorrect, did 
serve to show that I had read the docs. I was struggling with a conceptual 
issue which I have now resolved despite your apparent reluctance to be helpful. 
Thankfully another on the list isn't burdened by whatever ails you.

OSS has enough of a battle for acceptance and the lack of support from authors 
is one thing that always comes up. To date I have almost always been able to 
show that the author is usually more than willing to help and get OSS by the 
gatekeepers. You are not helping the battle.

J


Sent from the road...
+1.403.770.2837
-Original Message-
From: Tom Eastep [EMAIL PROTECTED]
Date: Saturday, Dec 16, 2006 8:12 pm
Subject: Re: [Shorewall-users] FTP/DNAT Issue

Jon me at jonwatson.ca writes:

 
 Because I was confused about DNAT. 
 
 So...knowing what I know now...amd I looking at a net to fw rule to do what I 
 need? I'm not sure how to refer to
 the box itself.

Then maybe you should consult the Shorewall introductory documentation.

-Tom



- Take 
Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your 
opinions on IT  business topics through brief surveys - and earn cash 
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] FTP/DNAT Issue

[Jon]

Hello All,

I know that this should be a trivial issue, but I'm stuck. I'm totally 
new to Shorewall and although I've read all about the zones, they're 
still a bit confusing for me.

What I'm attempting to do is run an FTP server on an internal machine. 
I've read the example guide and troubleshooting guide, but I can't 
figure it out.

My setup:

net zone is on an extrenal NIC with a routable IP. I can connect to 
other services on the box from the inside and outside so network 
connectivity is good.

My FTP server is running on 10.0.50.10 inside.

LAN clients can connect to the FTP server therefore the FTP server 
itself is set up correctly.

When I run shorewall clear, I can connect to the FTP server from the 
outside so it seems to be a Shorewall configuration issue for sure.

My Rules:

I feel pretty confident that I fall into example #3:

Example 3. Server running behind a Masquerading Gateway
Suppose that you run an FTP server on 192.168.1.5 in your local zone 
using the standard port (21). You need this rule:
#ACTION  SOURCE DESTINATION PROTO PORT(S)SOURCE 
  ORIGINAL
#PORT(S) 
  DESTINATION
FTP/DNAT  net   loc:192.168.1.5

However, after changing the IP to 10.0.50.10, no go.

A typical log entry when trying to connect looks like this:

Dec 15 10:36:29 munged kernel: Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=00:11:95:c5:29:43:00:90:1a:40:df:45:08:00 SRC=209.5.161.208 
DST=10.0.50.10 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=52574 DF PROTO=TCP 
SPT=34883 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0

 From this I can see that it is the net2all chain that's dropping the 
packet which seems to indicate an incoming issue, but I don't know how 
to fix it.

Links, tips, everything appreciated.

Thanks!

Jon

-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users