forked from extern/shorewall_code
Content moved to FTP.xml
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@854 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
03b1f6872a
commit
74de3e775f
@ -1,243 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall and FTP</title>
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
<h2></h2>
|
||||
<blockquote> </blockquote>
|
||||
<h1 style="text-align: center;">Shorewall and FTP<br>
|
||||
</h1>
|
||||
<hr style="width: 100%; height: 2px;">
|
||||
<p><span style="font-weight: bold;">NOTICE: </span>If you are running
|
||||
Mandrake 9.1 or 9.2 and are having problems with FTP, you have three
|
||||
choices:</p>
|
||||
<ol>
|
||||
<li>Edit /usr/share/shorewall/firewall and replace this line:<br>
|
||||
<br>
|
||||
<tt>for suffix in o gz ko ; do<br>
|
||||
</tt><br>
|
||||
with<br>
|
||||
<br>
|
||||
<tt>for suffix in o gz ko <span
|
||||
style="font-weight: bold;">o.gz </span>; do<br>
|
||||
<br>
|
||||
</tt>and at a root shell prompt:<br>
|
||||
<br>
|
||||
<tt> <span style="font-weight: bold; color: rgb(0, 153, 0);">shorewall
|
||||
restart</span><br style="font-weight: bold; color: rgb(0, 153, 0);">
|
||||
<br>
|
||||
</tt></li>
|
||||
<li>Install the Mandrake "cooker" version of Shorewall.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Upgrade to Shorewall 1.4.7 or later.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<hr style="width: 100%; height: 2px;">
|
||||
<p>FTP transfers involve two TCP connections. The first <u>control</u>
|
||||
connection goes from the FTP client to port 21 on the FTP server. This
|
||||
connection is used for logon and to send commands and responses between
|
||||
the endpoints. Data transfers (including the output of "ls" and "dir"
|
||||
commands) requires a second <u>data</u> connection. The data
|
||||
connection is dependent on the <u>mode</u>
|
||||
that the client is operating in:<br>
|
||||
</p>
|
||||
<ul>
|
||||
<li>Passive Mode (often the default for web browsers) -- The client
|
||||
issues a
|
||||
PASV command. Upon receipt of this command, the server listens on a
|
||||
dynamically-allocated port then sends a PASV reply to the client. The
|
||||
PASV reply gives the IP address
|
||||
and port number that the server is listening on. The client then opens
|
||||
a
|
||||
second connection to that IP address and port number.</li>
|
||||
<li>Active Mode (often the default for line-mode clients) -- The
|
||||
client listens on a dynamically-allocated port then sends a PORT
|
||||
command to the server. The PORT command gives the IP address and port
|
||||
number that the client is listening on. The server then opens a
|
||||
connection to that IP address and port number; the <u>source port</u>
|
||||
for this connection is 20 (ftp-data in /etc/services).</li>
|
||||
</ul>
|
||||
You can see these commands in action using your linux ftp command-line
|
||||
client in debugging mode. Note that my ftp client defaults to passive
|
||||
mode and that I can toggle between passive and active mode by issuing a
|
||||
"passive" command:<br>
|
||||
<blockquote>
|
||||
<pre>[teastep@wookie Shorewall]$ <font color="#009900"><b>ftp ftp1.shorewall.net<br></b></font>Connected to lists.shorewall.net.<br>220-=(<*>)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(<*>)=-<br>220-You are user number 1 of 50 allowed.<br>220-Local time is now 10:21 and the load is 0.14. Server port: 21.<br>220 You will be disconnected after 15 minutes of inactivity.<br>500 Security extensions not implemented<br>500 Security extensions not implemented<br>KERBEROS_V4 rejected as an authentication type<br>Name (ftp1.shorewall.net:teastep): ftp<br>331-Welcome to ftp.shorewall.net<br>331-<br>331 Any password will work<br>Password:<br>230 Any password will work<br>Remote system type is UNIX.<br>Using binary mode to transfer files.<br>ftp> <font
|
||||
color="#009900"><b>debug<br></b></font>Debugging on (debug=1).<br>ftp> <font
|
||||
color="#009900"><b>ls<br></b></font><b>---> PASV</b><br><b>227 Entering Passive Mode (192,168,1,193,195,210)</b><br>---> LIST<br>150 Accepted data connection<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp> <font
|
||||
color="#009900"><b>passive<br></b></font>Passive mode off.<br>ftp> <font
|
||||
color="#009900"><b>ls<br></b></font><b>---> PORT 192,168,1,3,142,58</b><br>200 PORT command successful<br>---> LIST<br>150 Connecting to port 36410<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp><br></pre>
|
||||
</blockquote>
|
||||
Things to notice:<br>
|
||||
<ol>
|
||||
<li>The commands that I issued are in <b><font color="#009900">green.</font></b><br>
|
||||
</li>
|
||||
<li>Commands sent by the client to the server are preceded by <b>---></b></li>
|
||||
<li>Command responses from the server over the control connection are
|
||||
numbered.<br>
|
||||
</li>
|
||||
<li>FTP uses a comma as a separator between the bytes of the IP
|
||||
address; and</li>
|
||||
<li>When sending a port number, FTP sends the MSB then the LSB and
|
||||
separates the two bytes by a comma. As shown in the PORT command, port
|
||||
142,58 translates
|
||||
to 142*256+58 = 36410.<br>
|
||||
</li>
|
||||
</ol>
|
||||
Given the normal loc->net policy of ACCEPT, passive mode access from
|
||||
local clients to remote servers will always work but active mode
|
||||
requires the firewall to dynamically open a "hole" for the server's
|
||||
connection back to the client. Similarly, if you are running an FTP
|
||||
server in your local
|
||||
zone then active mode should always work but passive mode requires the
|
||||
firewall to dynamically open a "hole" for the client's second
|
||||
connection to the server. This is the role of FTP connection-tracking
|
||||
support in the Linux kernel.
|
||||
<div align="left"><br>
|
||||
Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is
|
||||
involved, the PORT commands and PASV responses may also need to be
|
||||
modified by the firewall. This is the job of the FTP nat support kernel
|
||||
function.<br>
|
||||
</div>
|
||||
<p>Including FTP connection-tracking and NAT support normally means
|
||||
that the
|
||||
modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded.
|
||||
Shorewall automatically
|
||||
loads these "helper" modules from /lib/modules/<<i>kernel-version></i>/kernel/net/ipv4/netfilter/
|
||||
and you can determine if they are loaded using the 'lsmod' command. The
|
||||
<<span style="font-style: italic;">kernel-version</span>> may be
|
||||
obtained by typing<br>
|
||||
</p>
|
||||
<pre> <span style="color: rgb(0, 153, 0);"><span
|
||||
style="font-weight: bold;">uname -r</span></span>
|
||||
|
||||
Example:<br></pre>
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<pre>[root@lists etc]# lsmod<br>Module Size Used by Not tainted<br>autofs 12148 0 (autoclean) (unused)<br>ipt_TOS 1560 12 (autoclean)<br>ipt_LOG 4120 5 (autoclean)<br>ipt_REDIRECT 1304 1 (autoclean)<br>ipt_REJECT 3736 4 (autoclean)<br>ipt_state 1048 13 (autoclean)<br>ip_nat_irc 3152 0 (unused)<br><b>ip_nat_ftp 3888 0 (unused)</b><br>ip_conntrack_irc 3984 1<br><b>ip_conntrack_ftp 5008 1</b><br>ipt_multiport 1144 2 (autoclean)<br>ipt_conntrack 1592 0 (autoclean)<br>iptable_filter 2316 1 (autoclean)<br>iptable_mangle 2680 1 (autoclean)<br>iptable_nat 20568 3 (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack 26088 5 (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc<br> ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp<br> ipt_conntrack iptable_nat]<br>ip_tables 14488 12 [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state<br> ipt_multiport ipt_conntrack iptable_filter<br> iptable_mangle iptable_nat]<br>tulip 42464 0 (unused)<br>e100 50596 1<br>keybdev 2752 0 (unused)<br>mousedev 5236 0 (unused)<br>hid 20868 0 (unused)<br>input 5632 0 [keybdev mousedev hid]<br>usb-uhci 24684 0 (unused)<br>usbcore 73280 1 [hid usb-uhci]<br>ext3 64704 2<br>jbd 47860 2 [ext3]<br>[root@lists etc]#<br></pre>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
<blockquote> </blockquote>
|
||||
<p>If you want Shorewall to load these modules from an alternate
|
||||
directory, you need to set the MODULESDIR variable in
|
||||
/etc/shorewall/shorewall.conf to point to that directory.<br>
|
||||
</p>
|
||||
<p>If your FTP helper modules are compressed and have the names <span
|
||||
style="font-style: italic;">ip_nat_ftp.o.gz </span>and <span
|
||||
style="font-style: italic;">ip_conntrack_ftp.o.gz</span> then you will
|
||||
need Shorewall 1.4.7 or later if you want Shorewall to load them for
|
||||
you.<br>
|
||||
</p>
|
||||
<p>Server configuration is covered in <a href="Documentation.htm#Rules">the
|
||||
/etc/shorewall/rules documentation</a>,<br>
|
||||
</p>
|
||||
<p>For a client, you must open outbound TCP port 21. <br>
|
||||
</p>
|
||||
<p>The above discussion about commands and responses makes it clear
|
||||
that the
|
||||
FTP connection-tracking and NAT helpers must scan the traffic on the
|
||||
control
|
||||
connection looking for PASV and PORT commands as well as PASV
|
||||
responses. If
|
||||
you run an FTP server on a nonstandard port or you need to access such
|
||||
a server, you must therefore let the helpers know by specifying
|
||||
the port
|
||||
in /etc/shorewall/modules entries for the helpers. <span
|
||||
style="font-weight: bold;">For example, if you
|
||||
run an FTP server that listens on port 49 or you need to access a
|
||||
server on the internet that listens on that port then you would have:</span><br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<p>loadmodule ip_conntrack_ftp ports=21,49<br>
|
||||
loadmodule ip_nat_ftp ports=21,49<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
<p>Note that you MUST include port 21 in the <i>ports</i> list or you
|
||||
may have problems accessing regular FTP servers.</p>
|
||||
<p>If there is a possibility that these modules might be loaded before
|
||||
Shorewall starts, then you should include the port list in
|
||||
/etc/modules.conf:<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<p>options ip_conntrack_ftp ports=21,49<br>
|
||||
options ip_nat_ftp ports=21,49<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
<p><b>IMPORTANT: </b>Once you have made these changes to
|
||||
/etc/shorewall/modules and/or /etc/modules.conf, you must either:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>Unload the modules and restart shorewall: (<b><font
|
||||
color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall
|
||||
restart</font></b>); or</li>
|
||||
<li>Reboot</li>
|
||||
</ol>
|
||||
One problem that I see occasionally involves active mode and the FTP
|
||||
server in my DMZ. I see the active data connection <u>to certain
|
||||
client IP addresses</u> being continuously rejected by my firewall. It
|
||||
is my conjecture that there is some broken client out there that is
|
||||
sending a PORT command that is being either missed or mis-interpreted
|
||||
by the FTP connection tracking helper yet it is being accepted by my
|
||||
FTP server. My solution is to add the following rule:<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>ACTION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SOURCE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>DESTINATION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>PROTOCOL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>PORT(S)<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SOURCE<br>
|
||||
PORT(S)<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ORIGINAL<br>
|
||||
DESTINATION<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT:info<br>
|
||||
</td>
|
||||
<td valign="top">dmz<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">-<br>
|
||||
</td>
|
||||
<td valign="top">20<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
The above rule accepts and logs all active mode connections from my DMZ
|
||||
to the net.<br>
|
||||
<blockquote>
|
||||
<p> </p>
|
||||
</blockquote>
|
||||
<blockquote> </blockquote>
|
||||
<p><font size="2">Last updated 12/01/2003 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2003 Thomas M. Eastep.</font></a><br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
Loading…
Reference in New Issue
Block a user