Re: [Shorewall-users] tcrules' HELPERs are not helping

Thu, 03 Jun 2010 22:35:41 -0700 

Have you read http://www.shorewall.net/FTP.html ?

Especially where it says:
Important

Once you have made these changes to /etc/shorewall/modules and/or
/etc/modules.conf, you must either:

Unload the modules and restart shorewall:

        rmmod nf_nat_ftp; rmmod nf_conntrack_ftp; shorewall restart
or
        Reboot


-----Original Message-----
From: Fog_Watch [mailto:[email protected]] 
Sent: Friday, 4 June 2010 12:43 PM
To: [email protected]
Subject: [Shorewall-users] tcrules' HELPERs are not helping

Hello

With the following in my tcrules I can log in to my ftp site:
####################################################################
#MARK   SOURCE          DEST            PROTO   DEST    SOURCE  USER
    TEST    LENGTH  TOS   CONNBYTES         HELPER
#                                               PORT(S) PORT(S)
3       $FW             0.0.0.0/0       tcp     21

But I cannot ls or get.  Of course I need more than just a control
connection.

So I try the following in my tcrules:
####################################################################
#MARK   SOURCE          DEST            PROTO   DEST    SOURCE  USER
    TEST    LENGTH  TOS   CONNBYTES         HELPER
#                                               PORT(S) PORT(S) 
3       $FW             0.0.0.0/0       -       -       -       -
    -       -       -       -               ftp

Which does not work at all.

A shorewall iptrace reveals that with the above tcrules (with the
helper) packets are not marked.

So, um, how should I be using my ftp helper to mark packets?

Regards

Fog_Watch.
 

# lsmod | grep ftp
nf_nat_tftp             1301  0 
nf_nat_ftp              2267  0 
nf_conntrack_tftp       3810  1 nf_nat_tftp
nf_conntrack_ftp        6177  1 nf_nat_ftp
nf_nat                 14504  7
nf_nat_sip,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_ftp,ipt
able_nat
nf_conntrack           52369  21
nf_nat_sip,xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp
_basic,nf_nat_ftp,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_sip,nf_co
nntrack_proto_sctp,nf_conntrack_netlink,nf_conntrack_ftp,xt_helper,xt_conntr
ack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4


------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to