extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-02 10:59:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update the FTP article for 5.0

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-02-17 16:27:46 -08:00
parent a959c4a3bb
commit 94f2f5aaab
1 changed files with 18 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
docs/FTP.xml
View File

@ -353,8 +353,7 @@ FTP(HELPER) loc - </programlisting>
<para>or equivalently</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
HELPER loc - tcp 21 { helper=ftp }</programlisting>
</listitem>
@ -391,8 +390,7 @@ HELPER loc - tcp 21 { helper=ftp }</programlisting>
<para>Example:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
# PORT(S) PORT(S) GROUP
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH
?if $AUTOHELPERS &amp;&amp; __CT_TARGET
?if __FTP_HELPER
CT:helper:ftp all - tcp 21
@ -405,8 +403,7 @@ CT:helper:ftp all - tcp 21
access from your 'loc' zone, then add this rule outside of the outer-most
?if....?endif shown above.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
# PORT(S) PORT(S) GROUP
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH
...
CT:helper:ftp loc - tcp 21</programlisting>
@ -433,8 +430,7 @@ CT:helper:ftp loc - tcp 21</programlisti
<para><filename>/etc/shorewall/rules:</filename></para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }the</programlisting>
<para>That entry will accept ftp connections on port 12345 from the net
@ -442,8 +438,7 @@ DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ft
<para><filename>/etc/shorewall/conntrack:</filename></para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
# PORT(S) PORT(S) GROUP
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH
...
CT:helper:ftp loc - tcp 12345</programlisting>
@ -531,8 +526,7 @@ options nf_nat_ftp</programlisting>
<para>Otherwise, for FTP you need exactly <emphasis
role="bold">one</emphasis> rule:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DESTINATION
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
ACCEPT or &lt;<emphasis>source</emphasis>&gt; &lt;<emphasis>destination</emphasis>&gt; tcp 21 - &lt;external IP addr&gt; if
DNAT ACTION = DNAT</programlisting>
@ -558,14 +552,12 @@ DNAT ACTION =
<para>Suppose that you run an FTP server on 192.168.1.5 in your local
zone using the standard port (21). You need this rule:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DESTINATION
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
FTP(DNAT) net loc:192.168.1.5</programlisting>
</example><example id="Example4">
<title>Allow your DMZ FTP access to the Internet</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DESTINATION
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
FTP(ACCEPT) dmz net</programlisting>
</example></para>
@ -588,8 +580,7 @@ WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1</progr
<para>I see this problem occasionally with the FTP server in my DMZ. My
solution is to add the following rule:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DESTINATION
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
ACCEPT:info dmz net tcp - 20</programlisting>
<para>The above rule accepts and logs all active mode connections from my