Firewall and FTP

dildir at wanadoo.fr dildir at wanadoo.fr
Sat Nov 9 10:08:53 PST 2002


Oliver Eickenberg (oliver at eickenberg.de) wrote:
> Hello,
> 
> With my firewall working for a few weeks now (thanks again for the help 
> i received here) i discovered one problem left:
> 
> I tried to grant access to Internet-FTP-sites for my LAN whith enabling 
> port 21 exactly as i had enabled port 80 for http. I could connect to 
> sites and login successfully but then got timed out every time on any site.
> 
> I searched the net and found out, that this is not a surprise, because 
> port 21 is only used as a kind of ftp-handshaking and that the 
> data-transfer is handled on a separate port. For that port is not always 
> the same, how can one now build a firewall with ftp going through ? That 
> question, the sites i found haven't answered understandable for me.
> 
> Is somebody here who knows a solution ?
> 
> Thanks, Oliver
> 
> P.S.: Here is my actual "FTP-enabling"
> 
> iptables -A OUTPUT -p tcp -s $myLAN --dport 21 -j ACCEPT
> iptables -A INPUT  -p tcp -s $myLAN --sport 21 -m state --state 
> -ESTABLISHED -j ACCEPT
> 
> -- 
> Unsubscribe: send email to listar at linuxfromscratch.org
> and put 'unsubscribe blfs-support' in the subject header of the message
>

Hi Oliver,

I had something like that.  Do a dmesg or check your /var/log/sys.log.  It
should mention something about packets dropped going out on port 20.  After
allowing those out it worked. 

I found it instructive to open a window with a "tail -f -n 20
/var/log/sys.log" running while first using a firewall.

HTH

Dirk
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list