extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-23 05:58:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update the FTP article for 5.0

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-02-17 16:27:46 -08:00
parent a959c4a3bb
commit 94f2f5aaab
1 changed files with 18 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
docs/FTP.xml
View File

@ -345,23 +345,22 @@ xt_tcpudp 3328 0
HELPER rules allow specification of a helper for connections that are HELPER rules allow specification of a helper for connections that are
ACCEPTed by the applicable policy.</para> ACCEPTed by the applicable policy.</para>
<para> Example (loc-&gt;net policy is ACCEPT) - In <para>Example (loc-&gt;net policy is ACCEPT) - In
/etc/shorewall/rules:</para> /etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST <programlisting>#ACTION SOURCE DEST
FTP(HELPER) loc - </programlisting> FTP(HELPER) loc - </programlisting>
<para>or equivalently </para> <para>or equivalently</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
HELPER loc - tcp 21 { helper=ftp }</programlisting> HELPER loc - tcp 21 { helper=ftp }</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para> The set of enabled helpers (either by AUTOHELPERS=Yes or by the <para>The set of enabled helpers (either by AUTOHELPERS=Yes or by the
HELPERS column) can be taylored using the new HELPERS option in HELPERS column) can be taylored using the new HELPERS option in
shorewall.conf. </para> shorewall.conf.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -389,10 +388,9 @@ HELPER loc - tcp 21 { helper=ftp }</programlisting>
/etc/shorewall[6]/conntrack file. These rules are included conditionally /etc/shorewall[6]/conntrack file. These rules are included conditionally
based in the setting of AUTOHELPERS.</para> based in the setting of AUTOHELPERS.</para>
<para> Example:</para> <para>Example:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH
# PORT(S) PORT(S) GROUP
?if $AUTOHELPERS &amp;&amp; __CT_TARGET ?if $AUTOHELPERS &amp;&amp; __CT_TARGET
?if __FTP_HELPER ?if __FTP_HELPER
CT:helper:ftp all - tcp 21 CT:helper:ftp all - tcp 21
@ -400,23 +398,22 @@ CT:helper:ftp all - tcp 21
... ...
?endif</programlisting> ?endif</programlisting>
<para> __FTP_HELPER evaluates to false if the HELPERS setting is non-empty <para>__FTP_HELPER evaluates to false if the HELPERS setting is non-empty
and 'ftp' is not listed in that setting. For example, if you only need FTP and 'ftp' is not listed in that setting. For example, if you only need FTP
access from your 'loc' zone, then add this rule outside of the outer-most access from your 'loc' zone, then add this rule outside of the outer-most
?if....?endif shown above.</para> ?if....?endif shown above.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH
# PORT(S) PORT(S) GROUP
... ...
CT:helper:ftp loc - tcp 21</programlisting> CT:helper:ftp loc - tcp 21</programlisting>
<para> For an overview of Netfilter Helpers and Shorewall's support for <para>For an overview of Netfilter Helpers and Shorewall's support for
dealing with them, see <ulink dealing with them, see <ulink
url="Helpers.html">http://www.shorewall.net/Helpers.html</ulink>.</para> url="Helpers.html">http://www.shorewall.net/Helpers.html</ulink>.</para>
<para>See <ulink <para>See <ulink
url="https://home.regit.org/netfilter-en/secure-use-of-helpers/">https://home.regit.org/netfilter-en/secure-use-of-helpers/</ulink> url="https://home.regit.org/netfilter-en/secure-use-of-helpers/">https://home.regit.org/netfilter-en/secure-use-of-helpers/</ulink>
for additional information. </para> for additional information.</para>
</section> </section>
<section id="Ports"> <section id="Ports">
@ -433,8 +430,7 @@ CT:helper:ftp loc - tcp 21</programlisti
<para><filename>/etc/shorewall/rules:</filename></para> <para><filename>/etc/shorewall/rules:</filename></para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }the</programlisting> DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }the</programlisting>
<para>That entry will accept ftp connections on port 12345 from the net <para>That entry will accept ftp connections on port 12345 from the net
@ -442,8 +438,7 @@ DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ft
<para><filename>/etc/shorewall/conntrack:</filename></para> <para><filename>/etc/shorewall/conntrack:</filename></para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH
# PORT(S) PORT(S) GROUP
... ...
CT:helper:ftp loc - tcp 12345</programlisting> CT:helper:ftp loc - tcp 12345</programlisting>
@ -531,8 +526,7 @@ options nf_nat_ftp</programlisting>
<para>Otherwise, for FTP you need exactly <emphasis <para>Otherwise, for FTP you need exactly <emphasis
role="bold">one</emphasis> rule:</para> role="bold">one</emphasis> rule:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
# PORT(S) PORT(S) DESTINATION
ACCEPT or &lt;<emphasis>source</emphasis>&gt; &lt;<emphasis>destination</emphasis>&gt; tcp 21 - &lt;external IP addr&gt; if ACCEPT or &lt;<emphasis>source</emphasis>&gt; &lt;<emphasis>destination</emphasis>&gt; tcp 21 - &lt;external IP addr&gt; if
DNAT ACTION = DNAT</programlisting> DNAT ACTION = DNAT</programlisting>
@ -558,15 +552,13 @@ DNAT ACTION =
<para>Suppose that you run an FTP server on 192.168.1.5 in your local <para>Suppose that you run an FTP server on 192.168.1.5 in your local
zone using the standard port (21). You need this rule:</para> zone using the standard port (21). You need this rule:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
# PORT(S) PORT(S) DESTINATION
FTP(DNAT) net loc:192.168.1.5</programlisting> FTP(DNAT) net loc:192.168.1.5</programlisting>
</example><example id="Example4"> </example><example id="Example4">
<title>Allow your DMZ FTP access to the Internet</title> <title>Allow your DMZ FTP access to the Internet</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
# PORT(S) PORT(S) DESTINATION FTP(ACCEPT) dmz net</programlisting>
FTP(ACCEPT) dmz net</programlisting>
</example></para> </example></para>
<para>Note that the FTP connection tracking in the kernel cannot handle <para>Note that the FTP connection tracking in the kernel cannot handle
@ -588,8 +580,7 @@ WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1</progr
<para>I see this problem occasionally with the FTP server in my DMZ. My <para>I see this problem occasionally with the FTP server in my DMZ. My
solution is to add the following rule:</para> solution is to add the following rule:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
# PORT(S) PORT(S) DESTINATION
ACCEPT:info dmz net tcp - 20</programlisting> ACCEPT:info dmz net tcp - 20</programlisting>
<para>The above rule accepts and logs all active mode connections from my <para>The above rule accepts and logs all active mode connections from my