mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-18 11:38:14 +01:00
dbfc838988
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@789 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
206 lines
10 KiB
HTML
206 lines
10 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
<html>
|
||
<head>
|
||
<meta http-equiv="Content-Type"
|
||
content="text/html; charset=windows-1252">
|
||
<title>Shorewall and FTP</title>
|
||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||
</head>
|
||
<body>
|
||
<h2></h2>
|
||
<blockquote> </blockquote>
|
||
<h1 style="text-align: center;">Shorewall and FTP<br>
|
||
</h1>
|
||
<p>FTP transfers involve two TCP connections. The first <u>control</u>
|
||
connection goes from the FTP client to port 21 on the FTP server. This
|
||
connection is used for logon and to send commands and responses between
|
||
the endpoints. Data transfers (including the output of "ls" and "dir"
|
||
commands) requires a second <u>data</u> connection. The data
|
||
connection is dependent on the <u>mode</u>
|
||
that the client is operating in:<br>
|
||
</p>
|
||
<ul>
|
||
<li>Passive Mode (default for web browsers) -- The client issues a
|
||
PASV command. Upon receipt of this command, the server listens on a
|
||
dynamically-allocated port then sends a PASV reply to the client. The
|
||
PASV reply gives the IP address
|
||
and port number that the server is listening on. The client then opens
|
||
a
|
||
second connection to that IP address and port number.</li>
|
||
<li>Active Mode (often the default for line-mode clients) -- The
|
||
client listens on a dynamically-allocated port then sends a PORT
|
||
command to the server. The PORT command gives the IP address and port
|
||
number that the client is listening on. The server then opens a
|
||
connection to that IP address and port number; the <u>source port</u>
|
||
for this connection is 20 (ftp-data in /etc/services).</li>
|
||
</ul>
|
||
You can see these commands in action using your linux ftp command-line
|
||
client in debugging mode. Note that my ftp client defaults to passive
|
||
mode and that I can toggle between passive and active mode by issuing a
|
||
"passive" command:<br>
|
||
<blockquote>
|
||
<pre>[teastep@wookie Shorewall]$ <font color="#009900"><b>ftp ftp1.shorewall.net<br></b></font>Connected to lists.shorewall.net.<br>220-=(<*>)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(<*>)=-<br>220-You are user number 1 of 50 allowed.<br>220-Local time is now 10:21 and the load is 0.14. Server port: 21.<br>220 You will be disconnected after 15 minutes of inactivity.<br>500 Security extensions not implemented<br>500 Security extensions not implemented<br>KERBEROS_V4 rejected as an authentication type<br>Name (ftp1.shorewall.net:teastep): ftp<br>331-Welcome to ftp.shorewall.net<br>331-<br>331 Any password will work<br>Password:<br>230 Any password will work<br>Remote system type is UNIX.<br>Using binary mode to transfer files.<br>ftp> <font
|
||
color="#009900"><b>debug<br></b></font>Debugging on (debug=1).<br>ftp> <font
|
||
color="#009900"><b>ls<br></b></font><b>---> PASV</b><br><b>227 Entering Passive Mode (192,168,1,193,195,210)</b><br>---> LIST<br>150 Accepted data connection<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp> <font
|
||
color="#009900"><b>passive<br></b></font>Passive mode off.<br>ftp> <font
|
||
color="#009900"><b>ls<br></b></font><b>---> PORT 192,168,1,3,142,58</b><br>200 PORT command successful<br>---> LIST<br>150 Connecting to port 36410<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp><br></pre>
|
||
</blockquote>
|
||
Things to notice:<br>
|
||
<ol>
|
||
<li>The commands that I issued are in <b><font color="#009900">green.</font></b><br>
|
||
</li>
|
||
<li>Commands sent by the client to the server are preceded by <b>---></b></li>
|
||
<li>Command responses from the server over the control connection are
|
||
numbered.<br>
|
||
</li>
|
||
<li>FTP uses a comma as a separator between the bytes of the IP
|
||
address; and</li>
|
||
<li>When sending a port number, FTP sends the MSB then the LSB and
|
||
separates the two bytes by a comma. As shown in the PORT command, port
|
||
142,58 translates
|
||
to 142*256+58 = 36410.<br>
|
||
</li>
|
||
</ol>
|
||
Given the normal loc->net policy of ACCEPT, passive mode access from
|
||
local clients to remote servers will always work but active mode
|
||
requires the firewall to dynamically open a "hole" for the server's
|
||
connection back to the client. Similarly, if you are running an FTP
|
||
server in your local
|
||
zone then active mode should always work but passive mode requires the
|
||
firewall to dynamically open a "hole" for the client's second
|
||
connection to the server. This is the role of FTP connection-tracking
|
||
support in the Linux kernel.
|
||
<div align="left"><br>
|
||
Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is
|
||
involved, the PORT commands and PASV responses may also need to be
|
||
modified by the firewall. This is the job of the FTP nat support kernel
|
||
function.<br>
|
||
</div>
|
||
<p>Including FTP connection-tracking and NAT support normally means
|
||
that the
|
||
modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded.
|
||
Shorewall automatically
|
||
loads these "helper" modules from /lib/modules/<<i>kernel-version></i>/kernel/net/ipv4/netfilter/
|
||
and you can determine if they are loaded using the 'lsmod' command:<br>
|
||
</p>
|
||
<blockquote>
|
||
<p>Example:<br>
|
||
</p>
|
||
<blockquote>
|
||
<pre>[root@lists etc]# lsmod<br>Module Size Used by Not tainted<br>autofs 12148 0 (autoclean) (unused)<br>ipt_TOS 1560 12 (autoclean)<br>ipt_LOG 4120 5 (autoclean)<br>ipt_REDIRECT 1304 1 (autoclean)<br>ipt_REJECT 3736 4 (autoclean)<br>ipt_state 1048 13 (autoclean)<br>ip_nat_irc 3152 0 (unused)<br><b>ip_nat_ftp 3888 0 (unused)</b><br>ip_conntrack_irc 3984 1<br><b>ip_conntrack_ftp 5008 1</b><br>ipt_multiport 1144 2 (autoclean)<br>ipt_conntrack 1592 0 (autoclean)<br>iptable_filter 2316 1 (autoclean)<br>iptable_mangle 2680 1 (autoclean)<br>iptable_nat 20568 3 (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack 26088 5 (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp ipt_conntrack iptable_nat]<br>ip_tables 14488 12 [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat]<br>tulip 42464 0 (unused)<br>e100 50596 1<br>keybdev 2752 0 (unused)<br>mousedev 5236 0 (unused)<br>hid 20868 0 (unused)<br>input 5632 0 [keybdev mousedev hid]<br>usb-uhci 24684 0 (unused)<br>usbcore 73280 1 [hid usb-uhci]<br>ext3 64704 2<br>jbd 47860 2 [ext3]<br>[root@lists etc]#<br></pre>
|
||
</blockquote>
|
||
</blockquote>
|
||
<blockquote> </blockquote>
|
||
<p>If you want Shorewall to load these modules from an alternate
|
||
directory, you need to set the MODULESDIR variable in
|
||
/etc/shorewall/shorewall.conf to point to that directory.<br>
|
||
</p>
|
||
<p>Server configuration is covered in <a href="Documentation.htm#Rules">the
|
||
/etc/shorewall/rules documentation</a>,<br>
|
||
</p>
|
||
<p>For a client, you must open outbound TCP port 21. <br>
|
||
</p>
|
||
<p>The above discussion about commands and responses makes it clear
|
||
that the
|
||
FTP connection-tracking and NAT helpers must scan the traffic on the
|
||
control
|
||
connection looking for PASV and PORT commands as well as PASV
|
||
responses. If
|
||
you run an FTP server on a nonstandard port or you need to access such
|
||
a server, you must therefore let the helpers know by specifying
|
||
the port
|
||
in /etc/shorewall/modules entries for the helpers. <span
|
||
style="font-weight: bold;">For example, if you
|
||
run an FTP server that listens on port 49 or you need to access a
|
||
server on the internet that listens on that port then you would have:</span><br>
|
||
</p>
|
||
<blockquote>
|
||
<p>loadmodule ip_conntrack_ftp ports=21,49<br>
|
||
loadmodule ip_nat_ftp ports=21,49<br>
|
||
</p>
|
||
</blockquote>
|
||
<p>Note that you MUST include port 21 in the <i>ports</i> list or you
|
||
may have problems accessing regular FTP servers.</p>
|
||
<p>If there is a possibility that these modules might be loaded before
|
||
Shorewall starts, then you should include the port list in
|
||
/etc/modules.conf:<br>
|
||
</p>
|
||
<blockquote>
|
||
<p>options ip_conntrack_ftp ports=21,49<br>
|
||
options ip_nat_ftp ports=21,49<br>
|
||
</p>
|
||
</blockquote>
|
||
<p><b>IMPORTANT: </b>Once you have made these changes to
|
||
/etc/shorewall/modules and/or /etc/modules.conf, you must either:<br>
|
||
</p>
|
||
<ol>
|
||
<li>Unload the modules and restart shorewall: (<b><font
|
||
color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall
|
||
restart</font></b>); or</li>
|
||
<li>Reboot</li>
|
||
</ol>
|
||
One problem that I see occasionally involves active mode and the FTP
|
||
server in my DMZ. I see the active data connection <u>to certain
|
||
client IP addresses</u> being continuously rejected by my firewall. It
|
||
is my conjecture that there is some broken client out there that is
|
||
sending a PORT command that is being either missed or mis-interpreted
|
||
by the FTP connection tracking helper yet it is being accepted by my
|
||
FTP server. My solution is to add the following rule:<br>
|
||
<blockquote>
|
||
<table cellpadding="2" cellspacing="0" border="1">
|
||
<tbody>
|
||
<tr>
|
||
<td valign="top"><b>ACTION<br>
|
||
</b></td>
|
||
<td valign="top"><b>SOURCE<br>
|
||
</b></td>
|
||
<td valign="top"><b>DESTINATION<br>
|
||
</b></td>
|
||
<td valign="top"><b>PROTOCOL<br>
|
||
</b></td>
|
||
<td valign="top"><b>PORT(S)<br>
|
||
</b></td>
|
||
<td valign="top"><b>SOURCE<br>
|
||
PORT(S)<br>
|
||
</b></td>
|
||
<td valign="top"><b>ORIGINAL<br>
|
||
DESTINATION<br>
|
||
</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td valign="top">ACCEPT:info<br>
|
||
</td>
|
||
<td valign="top">dmz<br>
|
||
</td>
|
||
<td valign="top">net<br>
|
||
</td>
|
||
<td valign="top">tcp<br>
|
||
</td>
|
||
<td valign="top">-<br>
|
||
</td>
|
||
<td valign="top">20<br>
|
||
</td>
|
||
<td valign="top"><br>
|
||
</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<br>
|
||
</blockquote>
|
||
The above rule accepts and logs all active mode connections from my DMZ
|
||
to the net.<br>
|
||
<blockquote>
|
||
<p> </p>
|
||
</blockquote>
|
||
<blockquote> </blockquote>
|
||
<p><font size="2">Last updated 9/17/2003 - </font><font size="2"> <a
|
||
href="support.htm">Tom Eastep</a></font> </p>
|
||
<a href="copyright.htm"><font size="2">Copyright</font> <20> <font
|
||
size="2">2003 Thomas M. Eastep.</font></a><br>
|
||
<br>
|
||
<br>
|
||
<br>
|
||
</body>
|
||
</html>
|