On 08/09/2017 01:28 AM, Davide Marchi wrote: > Hi friends, > > On Debian Jessie, > I've configured ProFtpd to connect by tls (SSLv3 TLSv1 -> Letsencypt > certificate) on port 2222 but with Shorewall up, it DROP the connection: > > > Aug 8 18:50:10 server kernel: [16438563.572121] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=188.8.131.52 > DST=44.320.032.111 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=63283 DF > PROTO=TCP SPT=33175 DPT=55298 WINDOW=29200 RES=0x00 SYN URGP=0 > > > My rules.conf: > > PORT PORT(S) DEST > LIMIT GROUP > ?SECTION ALL > ?SECTION ESTABLISHED > ?SECTION RELATED > ?SECTION INVALID > ?SECTION UNTRACKED > ?SECTION NEW > > Invalid(DROP) net $FW tcp > > Ping(DROP) net $FW > > ACCEPT $FW net icmp > > Web(ACCEPT) net $FW > ACCEPT net $FW tcp 443 > #HTTPS > ACCEPT net $FW tcp 60319 #SSH > ACCEPT net $FW tcp 587 > #SUBMISSION SERVICE DOVECOT > ACCEPT net $FW tcp 995 > #SUBMISSION SERVICE DOVECOT SSL/TSL > ACCEPT net $FW tcp 993 > #SUBMISSION SERVICE DOVECOT SSL/TSL > ACCEPT net $FW tcp 110 > #SUBMISSION SERVICE DOVECOT STARTTLS > ACCEPT net $FW tcp 143 > #DOVECOT POSTFIX > ACCEPT net $FW tcp 25 > #POSTFIX > ACCEPT net $FW tcp 21 > #PROFTP > ACCEPT net $FW tcp 22 > #PROSFTP > SSH(ACCEPT) net $FW tcp 2222 #PROSFTP > > > > Now I wondering where is the problem, > > I've Fail2ban installed too and I've already clarified in its ML that > this is not a problem that concerns F2B > > > A thanks to all those who want to help me better understand this issue!
To handle a protocol like FTP, Netfilter must inspect each packet of the control connection in order to be able to automatically open data connections. When the control connection is encrypted, it can't do that and hence data connections are rejected. To work around this, you will need to specify a range of passive ports in the ProFtpd configuration, then open that port range in Shorewall. To handle active mode connections, you would also need to open outbound connections whose source port is 20 (that is the default, anyway). SFTP is the preferred way to do Secure file transfer, as it is SSH-based and does not use separate control and data connections. With SFTP, you simply open the incoming connection in your Shorewall configuration. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewallfirstname.lastname@example.org https://lists.sourceforge.net/lists/listinfo/shorewall-users