Re: [Shorewall-users] FTP--Port Knocking--Shorewall-PERL

Mon, 12 Jan 2009 10:06:59 -0800 

Scott Ruckh wrote:
> I am using shorewall version 4.2.4 (the invoca RPMs).
> 
> I get this warning when starting shorewall:
> 
> WARNING: Destination zone (loc) ignored : /usr/share/shorewall/macro.FTP (line
> 11)
> 
> macro.FTP looks like the "base" version that ships with shorewall:
> 
> #ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
> #                               PORT(S) PORT(S) LIMIT   GROUP
> PARAM   -       -       tcp     21
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> My FTP "rules" are:
> 
> #       forward FTP traffic to the FTP server
> FTP/DNAT-       inet                    loc:a.b.c.d

>From the Shorewall 4.2 release notes "Migration Issues" section:

3)  Specifying a destination zone in a NAT-only rule now generates a
    warning and the destination zone is ignored. NAT-only rules are:

             NONAT
             REDIRECT-
             DNAT-

So what you really want is:

FTP/DNAT-       inet    a.b.c.d
> 
> #       slow down Brute Force attacks.  Limit the number
> #       of connections per minute that can occur.
> Limit:ULOG:FTPBFA,4,120 inet            loc:a.b.c.d      tcp     21      -    
>   $ETH2_IP
> 
> ;where a.b.c.d is the IP address of FTP server behind the firewall.
> 
> I believe this probably broke when switching to Shorewall-PERL, although I am
> not positive.
> 
> I can not remember where the FTPBFA (FTP Brute Force Attack) script lives. 
> Tom helped me create the script originally, but I can not remember where this
> code lives.

It isn't a script -- it is the name of a 'Recent Set' that the rule will
automatically create if it doesn't exist. This allows more than one rule
to use the same notion of 'recent' by sharing the same Recent Set.

> Basically I would like to implement a similar policy with Shorewall-PERL.
> 
> I have vied the pages http://www.shorewall.net/FTP.html and
> http://www.shorewall.net/PortKnocking.html, but I am not able to deduce what I
> need to do in-order to get this rule working again.

What makes you believe that it is not working?

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to