From 94f2f5aaab776fdf75e3f713237964a2f7148474 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 17 Feb 2016 16:27:46 -0800 Subject: [PATCH] Update the FTP article for 5.0 Signed-off-by: Tom Eastep --- docs/FTP.xml | 45 ++++++++++++++++++--------------------------- 1 file changed, 18 insertions(+), 27 deletions(-) diff --git a/docs/FTP.xml b/docs/FTP.xml index e5aabdf35..8cd8ae9b9 100644 --- a/docs/FTP.xml +++ b/docs/FTP.xml @@ -345,23 +345,22 @@ xt_tcpudp 3328 0 HELPER rules allow specification of a helper for connections that are ACCEPTed by the applicable policy. - Example (loc->net policy is ACCEPT) - In + Example (loc->net policy is ACCEPT) - In /etc/shorewall/rules: #ACTION SOURCE DEST FTP(HELPER) loc - - or equivalently + or equivalently - #ACTION SOURCE DEST PROTO DEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT HELPER loc - tcp 21 { helper=ftp } - The set of enabled helpers (either by AUTOHELPERS=Yes or by the + The set of enabled helpers (either by AUTOHELPERS=Yes or by the HELPERS column) can be taylored using the new HELPERS option in - shorewall.conf. + shorewall.conf. @@ -389,10 +388,9 @@ HELPER loc - tcp 21 { helper=ftp } /etc/shorewall[6]/conntrack file. These rules are included conditionally based in the setting of AUTOHELPERS. - Example: + Example: - #ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH -# PORT(S) PORT(S) GROUP + #ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH ?if $AUTOHELPERS && __CT_TARGET ?if __FTP_HELPER CT:helper:ftp all - tcp 21 @@ -400,23 +398,22 @@ CT:helper:ftp all - tcp 21 ... ?endif - __FTP_HELPER evaluates to false if the HELPERS setting is non-empty + __FTP_HELPER evaluates to false if the HELPERS setting is non-empty and 'ftp' is not listed in that setting. For example, if you only need FTP access from your 'loc' zone, then add this rule outside of the outer-most ?if....?endif shown above. - #ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH -# PORT(S) PORT(S) GROUP + #ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH ... CT:helper:ftp loc - tcp 21 - For an overview of Netfilter Helpers and Shorewall's support for + For an overview of Netfilter Helpers and Shorewall's support for dealing with them, see http://www.shorewall.net/Helpers.html. See https://home.regit.org/netfilter-en/secure-use-of-helpers/ - for additional information. + for additional information.
@@ -433,8 +430,7 @@ CT:helper:ftp loc - tcp 21/etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }the That entry will accept ftp connections on port 12345 from the net @@ -442,8 +438,7 @@ DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ft /etc/shorewall/conntrack: - #ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH -# PORT(S) PORT(S) GROUP + #ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH ... CT:helper:ftp loc - tcp 12345 @@ -531,8 +526,7 @@ options nf_nat_ftp Otherwise, for FTP you need exactly one rule: - #ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL -# PORT(S) PORT(S) DESTINATION + #ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST ACCEPT or <source> <destination> tcp 21 - <external IP addr> if DNAT ACTION = DNAT @@ -558,15 +552,13 @@ DNAT ACTION = Suppose that you run an FTP server on 192.168.1.5 in your local zone using the standard port (21). You need this rule: - #ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL -# PORT(S) PORT(S) DESTINATION + #ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST FTP(DNAT) net loc:192.168.1.5 Allow your DMZ FTP access to the Internet - #ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL -# PORT(S) PORT(S) DESTINATION -FTP(ACCEPT) dmz net + #ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST +FTP(ACCEPT) dmz net Note that the FTP connection tracking in the kernel cannot handle @@ -588,8 +580,7 @@ WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1I see this problem occasionally with the FTP server in my DMZ. My solution is to add the following rule: - #ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL -# PORT(S) PORT(S) DESTINATION + #ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST ACCEPT:info dmz net tcp - 20 The above rule accepts and logs all active mode connections from my