Odd FTP Problems

David A. Bandel david
Mon May 17 11:48:33 PDT 2004 

On Thu, 19 Jun 2003 15:30:38 -0500
Jason Joines <joines at bus.okstate.edu> wrote:

> David A. Bandel wrote:
> 

[snip]

OK, if I remember correctly, policy is set this way (been a _long_ while
since I've used ipchains):
ipchains -P input DENY
may not be exactly correct, but I know you need -P for policy.
> 
> #********************************************************************
> #*********#
> # INPUT CHAIN 
> ****************************************************************#
> #********************************************************************
> #*********#
> #
[snip]

> #
> $ipchains -A input -s $anyhost -d $thishost 1024:65535 -p tcp -i eth0
> ! -y -j ACCEPT

1.  check if you have any ports bound in the 1024+ region with netstat
-pan
1. a.  if you do, block those ports to incoming
2.  remove the ! -y above and try your passive FTP again  -- should work

> $ipchains -A input -s $anyhost -d $thishost 1024:65535 -p udp -i eth0
> -j ACCEPT
> #
> # Catch all and log it
> $ipchains -A input -l -j DENY
> 
>   When the browser's connect you'll get a sequence like this in the
>   log:
> Jun 19 20:08:48 kernel: Packet log: input ACCEPT eth0 PROTO=6 
> 172.16.0.31:40551 172.16.0.105:21 L=58 S=0x10 I=36665 F=0x4000 T=64
> (#6)
  note the flags:                                       ^^^^^^^^
(look it up)
> Jun 19 20:08:48 kernel: Packet log: input DENY eth0 PROTO=6 
> 172.16.0.31:40552 172.16.0.105:5345 L=60 S=0x00 I=36666 F=0x4000 T=64 
> SYN (#37)
> so it seems the firewall is doing just what it's supposed to do.
> 
>   The whole box is slated to go away with a replacement application 
> running one our 11 kernel 2.4.x boxes.  All of them run iptables 
> firewalls and I would love to have that option.  Unfortunately, it's
> way down the priority list of the app/dev guys.  I was just tasked
> with securing the "as-is" system as much as possible in the meantime. 
> The person who originally put it up went way out of their way to make
> it as insecure as possible, no firewall, unencrypted smb passwords,
> mysql open to the world with a blank password for root, ..., the list
> goes on and on.  I can't wait to get rid of this thing.

good idea -- iptables is light years ahead of ipchains.

> 
>   Thanks for the help.

no prob -

Ciao,

David A. Bandel
-- 
Focus on the dream, not the competition.
		Nemesis Racing Team motto
GPG key autoresponder:  mailto:david_key at pananix.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.linux-sxs.org/pipermail/linux-users/attachments/20030619/da788324/attachment.pgp

More information about the Linux-users mailing list