extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-15 04:04:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add new files

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@731 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-08-27 14:54:47 +00:00
parent 8466316f97
commit 3550dbc3e5
2 changed files with 234 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

234
STABLE/documentation/FTP.html Normal file
View File

@ -0,0 +1,234 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall and FTP</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and FTP</font></h1>
</td>
</tr>
</tbody>
</table>
<h2></h2>
<blockquote> </blockquote>
<p>FTP transfers involve two TCP connections. The first <u>control</u> connection
goes from the FTP client to port 21 on the FTP server. This connection is
used for logon and to send commands and responses between the endpoints.
Data transfers (including the output of "ls" and "dir" commands) requires
a second <u>data</u> connection. The data connection is dependent on the <u>mode</u>
that the client is operating in:<br>
</p>
<ul>
<li>Passive Mode (default for web browsers) -- The client issues a PASV
command. Upon receipt of this command, the server listens on a dynamically-allocated
port then sends a PASV reply to the client. The PASV reply gives the IP address
and port number that the server is listening on. The client then opens a
second connection to that IP address and port number.</li>
<li>Active Mode (often the default for line-mode clients) -- The client
listens on a dynamically-allocated port then sends a PORT command to the
server. The PORT command gives the IP address and port number that the client
is listening on. The server then opens a connection to that IP address and
port number; the <u>source port</u> for this connection is 20 (ftp-data in
/etc/services).</li>
</ul>
You can see these commands in action using your linux ftp command-line
client in debugging mode. Note that my ftp client defaults to passive mode
and that I can toggle between passive and active mode by issuing a "passive"
command:<br>
<blockquote>
<pre>[teastep@wookie Shorewall]$ <font color="#009900"><b>ftp ftp1.shorewall.net<br></b></font>Connected to lists.shorewall.net.<br>220-=(&lt;*&gt;)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(&lt;*&gt;)=-<br>220-You are user number 1 of 50 allowed.<br>220-Local time is now 10:21 and the load is 0.14. Server port: 21.<br>220 You will be disconnected after 15 minutes of inactivity.<br>500 Security extensions not implemented<br>500 Security extensions not implemented<br>KERBEROS_V4 rejected as an authentication type<br>Name (ftp1.shorewall.net:teastep): ftp<br>331-Welcome to ftp.shorewall.net<br>331-<br>331 Any password will work<br>Password:<br>230 Any password will work<br>Remote system type is UNIX.<br>Using binary mode to transfer files.<br>ftp&gt; <font
color="#009900"><b>debug<br></b></font>Debugging on (debug=1).<br>ftp&gt; <font
color="#009900"><b>ls<br></b></font><b>---&gt; PASV</b><br><b>227 Entering Passive Mode (192,168,1,193,195,210)</b><br>---&gt; LIST<br>150 Accepted data connection<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp&gt; <font
color="#009900"><b>passive<br></b></font>Passive mode off.<br>ftp&gt; <font
color="#009900"><b>ls<br></b></font><b>---&gt; PORT 192,168,1,3,142,58</b><br>200 PORT command successful<br>---&gt; LIST<br>150 Connecting to port 36410<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp&gt;<br></pre>
</blockquote>
Things to notice:<br>
<ol>
<li>The commands that I issued are in <b><font color="#009900">green.</font></b><br>
</li>
<li>Commands sent by the client to the server are preceded by <b>---&gt;</b></li>
<li>Command responses from the server over the control connection are
numbered.<br>
</li>
<li>FTP uses a comma as a separator between the bytes of the IP address;
and</li>
<li>When sending a port number, FTP sends the MSB then the LSB and separates
the two bytes by a comma. As shown in the PORT command, port 142,58 translates
to 142*256+58 = 36410.<br>
</li>
</ol>
Given the normal loc-&gt;net policy of ACCEPT, passive mode access from
local clients to remote servers will always work but active mode requires
the firewall to dynamically open a "hole" for the server's connection back
to the client. Similarly, if you are running an FTP server in your local
zone then active mode should always work but passive mode requires the firewall
to dynamically open a "hole" for the client's second connection to the server.
This is the role of FTP connection-tracking support in the Linux kernel.
<div align="left"><br>
Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is involved,
the PORT commands and PASV responses may also need to be modified by the
firewall. This is the job of the FTP nat support kernel function.<br>
</div>
<p>Including FTP connection-tracking and NAT support normally means that the
modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded. Shorewall automatically
loads these "helper" modules from /lib/modules/&lt;<i>kernel-version&gt;</i>/kernel/net/ipv4/netfilter/
and you can determine if they are loaded using the 'lsmod' command:<br>
</p>
<blockquote>
<p>Example:<br>
</p>
<blockquote>
<pre>[root@lists etc]# lsmod<br>Module Size Used by Not tainted<br>autofs 12148 0 (autoclean) (unused)<br>ipt_TOS 1560 12 (autoclean)<br>ipt_LOG 4120 5 (autoclean)<br>ipt_REDIRECT 1304 1 (autoclean)<br>ipt_REJECT 3736 4 (autoclean)<br>ipt_state 1048 13 (autoclean)<br>ip_nat_irc 3152 0 (unused)<br><b>ip_nat_ftp 3888 0 (unused)</b><br>ip_conntrack_irc 3984 1<br><b>ip_conntrack_ftp 5008 1</b><br>ipt_multiport 1144 2 (autoclean)<br>ipt_conntrack 1592 0 (autoclean)<br>iptable_filter 2316 1 (autoclean)<br>iptable_mangle 2680 1 (autoclean)<br>iptable_nat 20568 3 (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack 26088 5 (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp ipt_conntrack iptable_nat]<br>ip_tables 14488 12 [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat]<br>tulip 42464 0 (unused)<br>e100 50596 1<br>keybdev 2752 0 (unused)<br>mousedev 5236 0 (unused)<br>hid 20868 0 (unused)<br>input 5632 0 [keybdev mousedev hid]<br>usb-uhci 24684 0 (unused)<br>usbcore 73280 1 [hid usb-uhci]<br>ext3 64704 2<br>jbd 47860 2 [ext3]<br>[root@lists etc]#<br></pre>
</blockquote>
</blockquote>
<blockquote> </blockquote>
<p>If you want Shorewall to load these modules from an alternate directory,
you need to set the MODULESDIR variable in /etc/shorewall/shorewall.conf
to point to that directory.<br>
</p>
<p>Server configuration is covered in <a href="Documentation.htm#Rules">the
/etc/shorewall/rules documentation</a>,<br>
</p>
<p>For a client, you must open outbound TCP port 21. <br>
</p>
<p>The above discussion about commands and responses makes it clear that the
FTP connection-tracking and NAT helpers must scan the traffic on the control
connection looking for PASV and PORT commands as well as PASV responses. If
you run an FTP server on a nonstandard port or you need to access such
a server,  you must therefore let the helpers know by specifying the port
in /etc/shorewall/modules entries for the helpers. For example, if you
run an FTP server that listens on port 49 then you would have:<br>
</p>
<blockquote>
<p>loadmodule ip_conntrack_ftp ports=21,49<br>
loadmodule ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may
have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before Shorewall
starts, then you should include the port list in /etc/modules.conf:<br>
</p>
<blockquote>
<p>options ip_conntrack_ftp ports=21,49<br>
options ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p><b>IMPORTANT: </b>Once you have made these changes to /etc/shorewall/modules
and/or /etc/modules.conf, you must either:<br>
</p>
<ol>
<li>Unload the modules and restart shorewall: (<b><font
color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</font></b>);
or</li>
<li>Reboot</li>
</ol>
One problem that I see occasionally involves active mode and the FTP server
in my DMZ. I see the active data connection <u>to certain client IP addresses</u>
being continuously rejected by my firewall. It is my conjecture that there
is some broken client out there that is sending a PORT command that is being
either missed or mis-interpreted by the FTP connection tracking helper yet
it is being accepted by my FTP server. My solution is to add the following
rule:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE<br>
PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL<br>
DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">ACCEPT:info<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">-<br>
</td>
<td valign="top">20<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
The above rule accepts and logs all active mode connections from my DMZ
to the net.<br>
<blockquote>
<p> </p>
</blockquote>
<blockquote> </blockquote>
<p><font size="2">Last updated 7/30/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
</body>
</html>

BIN
STABLE/documentation/images/ProtectedBy.png Executable file
View File

Binary file not shown.