you need to allow port 20 for the data connection.
phil
On 9/1/2007 4:52 AM, Mahdi Rahimi wrote:
hello
I have problem in our clients's outside ftp access via debian.
My LAN users can't start data transfer to outside FTP servers, but they
can establish connection to port 21 on the outside
Leonardo Boselli wrote on 8/24/2007 4:44 PM:
Your best is not enought for me.
Oucht.
good luck.
--
phil
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
on 2007-08-02 at 22:49, Ansgar -59cobalt- Wiechers wrote:
On 2007-08-02 Franck Joncourt wrote:
-m state --state NEW --syn rather than --syn
--syn is kinda redundant when using --state NEW. ;)
I think that --state NEW is kinda redundant when using --syn
would be more accurate.
--
phil
on 2006-08-18 at 11:25, George Borisov wrote:
Hello,
We have an IPSec VPN link between the UK and South Africa.
Unfortunately one of the routers upstream from our South Africa
firewall mangles large packets (e.g. only 2/3 chunks of a 4000
byte ping will be received.)
[snip]
Is there a
on 2006-08-08 at 19:49, ??? ?? wrote:
# iptables -A PREROUTING -t mangle -s 10.0.0.0/8 -j ROUTE --oif eth0
iptables: No chain/target/match by that name
#
there is no built in ROUTE target. Is this a user space
target you have created?
built in targets are ACCEPT, REJECT, DROP,
on 2006-08-08 at 21:03, Pascal Hambourg wrote:
Phil :
Why are you talking about a built-in target ?
um, whoops. :)
mistake-a) s/built-in/standard/g
mistake-b) replying to things without full knowledge of the answer.
phil
(who is beating himself with a wet noodle right now.)
--
To
on 2006-05-17 at 10:53, Leonardo Boselli wrote:
How to avoid these warnings ?
May 17 05:27:13 student dhcpd: DHCPINFORM from 172.25.9.96 via br1: not
authoritative for subnet 128.0.0.0
Not sure how this relates to firewalls, but...
use the authorative statement in dhcpd.conf
man
on 2006-05-01 at 18:30, Leonardo Boselli wrote:
On Mon, 1 May 2006, Pascal Hambourg wrote:
I agree wit your opinion, hovewer stiking a gropup of user to a specific
address would allow administrators to filter on the _other_ end of the
link, accepting or refusing he connenction based on the
on 2006-03-30 at 12:25, Vladimir Zolotykh wrote:
Hi
I'm new both to this mailing list and firewalls.
I set up a simple firewall and SNAT using iptables. All works fine
except that sometimes I see the following in the /var/log/syslog
Mar 30 08:54:23 dobby kernel: New not syn:IN=
on 2006-03-30 at 15:17, Phil Dyer wrote:
somewhere, asynchronous routing, out of order packets, flushing and
s/asynchronous/asymmetric/
--
phil
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Ouédraogo Boukari said:
Hello!
ip_forward has 0 value but it's impossible to turn this value to 1.
what happens when you just
echo 1 /proc/sys/net/ipv4/ip_forward
--
phil
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Vladimir Konrad said:
Just a wild guess, but maybe check your MTU settings.
MTU is 1500 on both eth interfaces...
path mtu discovery, maybe?
--
phil
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Maxwillian Miorim said:
FTP traffic pass through ports 20 UDP and 21 TCP.
First one head is established with an connection in UDP port 20,
after this all traffic is exchanged through port 21 TCP.
ummmhuh?
--
phil
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of
Maxwillian Miorim said:
Ops, my english is so bad? Sorry, I'm brazilian. =P
oh, I understood what you meant. It's just incorrect.
See RFC959 for details: http://www.ietf.org/rfc/rfc0959.txt
I think you should read that rfc and search for 'UDP'. You won't find it
once. Your broken client may
Lars Schimmer said:
Hi!
I copied a iptables config from a friend over to my router:
($IPT = /sbin/iptables)
$IPT -A FORWARD -s ! 111.22.22.128/25 -p tcp --dport 22 -m state --state
NEW -m recent --set
$IPT -A FORWARD -p tcp --dport 22 -m state --state NEW -m recent
--update --seconds
Debs said:
iptables -t nat -A PREROUTING -d $WAN_IP -p udp --dport 20 -j DNAT
--to $PUBLIC:21
iptables -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 20 -j DNAT
--to $PUBLIC:21
redirecting port 20 to port 21?
BTW is udp necesarry..?
no.
signature.asc
Description:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Pierre Volcke said:
hello there,
I'm using iptables and brctl (bridging) to provide
some transparent firewalling.
the problem is : I cannot see *any* logs from
iptables into the kernel logs
(but I know that my INPUT/OUTPUT/FORWARD chains
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Shane Machon said:
I suspect my only way around this is to change the interface name of the
pppoe link from ppp0 to something else like extif, then i can build
rules specific to that interface knowing that will always be the
external connection.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin G.H. Minkler said:
Alohá all!
[snip]
Going for the shotgun approach with cross-posting, eh. :)
Don't remember having any problems like you've encountered...
Have you tried connecting to the sarge box with another client? Windows
XP, or
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
David Powell wrote:
Hello List,
When my LAMP server first fires up it runs a firewall script, but
doesn't seem to be applying the rules that allow NFS connections. If I
then rerun the script manually, the NFS connections work again.
My
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'd say your firewall is starting up before nfs in your rc scripts, so
your NFSPORTS_ARRAY is empty. Try changing the firewall to start up
after nfs.
..that would leave it open for a wee while, no?
I'd rather just rerun the rerun the nfs
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Udo Klein said:
Thanks Phil,
I've now allowed dhcp in from the ISP and it works. Can I ask you one
more question: is it possible to direct the ipchains log to a file other
than /var/log/kern.log (e.g. /var/log/ipchains.log), so that kern.log
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I swear, I'm on about 15 lists, and debian-firewall is the *only* one
where I get unsubscribe posts to the list.
One more beer and I'm gonna get jiggy and reply. :)
insert user friendly cartoon here
Sorry for the OT post, everybody.
- --
/phil
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
NN_il_Confusionario wrote:
perhaps one could mark with iptables the local packets to be source
natted and then source nat the marked packets with ip route
I don't think that iptables alone can do it. I'm thinking this is the
road to look down,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Phil Dyer wrote:
NN_il_Confusionario wrote:
perhaps one could mark with iptables the local packets to be source
natted and then source nat the marked packets with ip route
I don't think that iptables alone can do it. I'm thinking
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mike Mestnik wrote:
conn rnet-lnet
left=1.2.3.4
leftsubnet=172.27.27.0/24
leftnexthop=1.2.3.1
right=9.8.7.6
rightsubnet=192.168.1.0/24
authby=secret
auto=start
Yes, this workes.
conn rnet-lserver
left=1.2.3.4
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chavdar Videff said:
The reason why we do this is because the Cisco router is maintained by our
ISP
and it is configured for the entire LAN. I cannot touch there. And I cannot
change the LAN address space because there are servers accessed
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Blars Blarson wrote:
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes:
I'm using a pseudo-bridge setup with proxy_arp. I haven't had any
problems at all. My setup causes me to lose 2 ip addresses for each
interface, but...
er.. I meant 1 ip
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
R.M. Evers said:
i'm having some problems implementing a vpn configuration, and i'm
hoping you guys could help me out here. we are hosting a debian sarge
server for one of our customers, and they need to communicate with this
server over the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
R.M. Evers said:
ok, when i ping from eth1, i get a bad interface address 'eth1' error,
probably because eth1 is not connected..
Shouldn't make a difference as long as the interface is up.
ifup eth1
try ping -I 172.27.27.1 192.168.1.x
- --
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Theodore Knab said:
Hi,
Does anyone have some transparent bridge iptables rules that I could use as
an example ?
I have a Debian Sarge box running the 2.6.10 kernel that is acting as a
transparent bridge.
Currently, it is using EBTABLES.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
martin f krafft said:
Here are the relevant rules:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
martin f krafft said:
also sprach Phil Dyer [EMAIL PROTECTED] [2005.03.15.1512 +0100]:
for INPUT, lose the conntrack.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
why?
Actually, good question. I thought that conntrack
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Collins, Kevin said:
UNKNOWN: Mar 3 00:05:34 localhost pluto[2851]: ltoh #556: received Delete
SA payload: deleting ISAKMP State #556
While everything is working, I'm concerned that these entries mean that
something just isn't right. I want
Manfred Sampl said:
Is there a gui tool that is able to set up a firewall rule set on a remote
computer or write a bash script? I had a quick look at knetfilter and
firestarter, but that isn't really what I need. Shorewall is somehow nice,
but wouldn't that be a step back for me?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Manfred Sampl said:
Hi,
My input ruleset doesn't work as it should... I'm using woody /
netfilter on 2.4.27 (debian kernel I think) for doing the routing on a
DSL connection.
I can't reach ssh on the external interface.
What is wrong? and
Mike Mestnik wrote:
mac address changes at every hop. The mac is *always* going to be your
Assuming you could, do the imposible and, find out what the original mac
was. (We seam to agree)You can't send a pkt to a mac address not on your
local network.
I can only deal with the possible.
Mike Mestnik wrote:
My point is: how do you send packets back to the sender if the packet
came in on a connected interface that does not host the network that it
The packet came in. There should be a MAC(ethernet) address that it came
from.
mac address changes at every hop. The mac is
38 matches
Mail list logo