On 08/09/2017 01:28 AM, Davide Marchi wrote:
> Hi friends,
> 
> On Debian Jessie,
> I've configured ProFtpd to connect by tls (SSLv3 TLSv1 -> Letsencypt
> certificate) on port 2222 but with Shorewall up, it DROP the connection:
> 
> 
> Aug  8 18:50:10 server kernel: [16438563.572121]
> Shorewall:net-fw:DROP:IN=eth0 OUT=
> MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=132.142.22.10
> DST=44.320.032.111 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=63283 DF
> PROTO=TCP SPT=33175 DPT=55298 WINDOW=29200 RES=0x00 SYN URGP=0
> 
> 
> My rules.conf:
> 
>                             PORT    PORT(S)        DEST       
> LIMIT        GROUP
> ?SECTION ALL
> ?SECTION ESTABLISHED
> ?SECTION RELATED
> ?SECTION INVALID
> ?SECTION UNTRACKED
> ?SECTION NEW
> 
> Invalid(DROP)  net                $FW        tcp
> 
> Ping(DROP)    net        $FW
> 
> ACCEPT        $FW        net        icmp
> 
> Web(ACCEPT)     net             $FW
> ACCEPT          net             $FW             tcp             443  
> #HTTPS
> ACCEPT         net         $FW        tcp        60319 #SSH
> ACCEPT          net             $FW             tcp             587  
> #SUBMISSION SERVICE DOVECOT
> ACCEPT          net             $FW             tcp             995  
> #SUBMISSION SERVICE DOVECOT SSL/TSL
> ACCEPT          net             $FW             tcp             993  
> #SUBMISSION SERVICE DOVECOT SSL/TSL
> ACCEPT          net             $FW             tcp             110  
> #SUBMISSION SERVICE DOVECOT STARTTLS
> ACCEPT          net             $FW             tcp             143  
> #DOVECOT POSTFIX
> ACCEPT          net             $FW             tcp             25   
> #POSTFIX
> ACCEPT          net             $FW             tcp             21   
> #PROFTP
> ACCEPT          net             $FW             tcp             22   
> #PROSFTP
> SSH(ACCEPT)    net        $FW        tcp        2222  #PROSFTP
> 
> 
> 
> Now I wondering where is the problem,
> 
> I've Fail2ban installed too and I've already clarified in its ML that
> this is not a problem that concerns F2B
> 
> 
> A thanks to all those who want to help me better understand this issue!

To handle a protocol like FTP, Netfilter must inspect each packet of the
control connection in order to be able to automatically open data
connections. When the control connection is encrypted, it can't do that
and hence data connections are rejected. To work around this, you will
need to specify a range of passive ports in the ProFtpd configuration,
then open that port range in Shorewall. To handle active mode
connections, you would also need to open outbound connections whose
source port is 20 (that is the default, anyway).

SFTP is the preferred way to do Secure file transfer, as it is SSH-based
and does not use separate control and data connections. With SFTP, you
simply open the incoming connection in your Shorewall configuration.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to