forked from extern/shorewall_code
edfbafc0cb
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@691 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
235 lines
12 KiB
HTML
235 lines
12 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
<html>
|
||
<head>
|
||
|
||
<meta http-equiv="Content-Type"
|
||
content="text/html; charset=windows-1252">
|
||
<title>Shorewall and FTP</title>
|
||
|
||
|
||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||
|
||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||
</head>
|
||
<body>
|
||
|
||
<table border="0" cellpadding="0" cellspacing="0"
|
||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||
<tbody>
|
||
<tr>
|
||
<td width="100%">
|
||
|
||
<h1 align="center"><font color="#ffffff">Shorewall and FTP</font></h1>
|
||
</td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
|
||
<h2></h2>
|
||
|
||
<blockquote> </blockquote>
|
||
|
||
<p>FTP transfers involve two TCP connections. The first <u>control</u> connection
|
||
goes from the FTP client to port 21 on the FTP server. This connection is
|
||
used for logon and to send commands and responses between the endpoints.
|
||
Data transfers (including the output of "ls" and "dir" commands) requires
|
||
a second <u>data</u> connection. The data connection is dependent on the <u>mode</u>
|
||
that the client is operating in:<br>
|
||
</p>
|
||
|
||
<ul>
|
||
<li>Passive Mode (default for web browsers) -- The client issues a PASV
|
||
command. Upon receipt of this command, the server listens on a dynamically-allocated
|
||
port then sends a PASV reply to the client. The PASV reply gives the IP address
|
||
and port number that the server is listening on. The client then opens a
|
||
second connection to that IP address and port number.</li>
|
||
<li>Active Mode (often the default for line-mode clients) -- The client
|
||
listens on a dynamically-allocated port then sends a PORT command to the
|
||
server. The PORT command gives the IP address and port number that the client
|
||
is listening on. The server then opens a connection to that IP address and
|
||
port number; the <u>source port</u> for this connection is 20 (ftp-data in
|
||
/etc/services).</li>
|
||
|
||
</ul>
|
||
You can see these commands in action using your linux ftp command-line
|
||
client in debugging mode. Note that my ftp client defaults to passive mode
|
||
and that I can toggle between passive and active mode by issuing a "passive"
|
||
command:<br>
|
||
|
||
<blockquote>
|
||
<pre>[teastep@wookie Shorewall]$ <font color="#009900"><b>ftp ftp1.shorewall.net<br></b></font>Connected to lists.shorewall.net.<br>220-=(<*>)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(<*>)=-<br>220-You are user number 1 of 50 allowed.<br>220-Local time is now 10:21 and the load is 0.14. Server port: 21.<br>220 You will be disconnected after 15 minutes of inactivity.<br>500 Security extensions not implemented<br>500 Security extensions not implemented<br>KERBEROS_V4 rejected as an authentication type<br>Name (ftp1.shorewall.net:teastep): ftp<br>331-Welcome to ftp.shorewall.net<br>331-<br>331 Any password will work<br>Password:<br>230 Any password will work<br>Remote system type is UNIX.<br>Using binary mode to transfer files.<br>ftp> <font
|
||
color="#009900"><b>debug<br></b></font>Debugging on (debug=1).<br>ftp> <font
|
||
color="#009900"><b>ls<br></b></font><b>---> PASV</b><br><b>227 Entering Passive Mode (192,168,1,193,195,210)</b><br>---> LIST<br>150 Accepted data connection<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp> <font
|
||
color="#009900"><b>passive<br></b></font>Passive mode off.<br>ftp> <font
|
||
color="#009900"><b>ls<br></b></font><b>---> PORT 192,168,1,3,142,58</b><br>200 PORT command successful<br>---> LIST<br>150 Connecting to port 36410<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp><br></pre>
|
||
</blockquote>
|
||
Things to notice:<br>
|
||
|
||
<ol>
|
||
<li>The commands that I issued are in <b><font color="#009900">green.</font></b><br>
|
||
</li>
|
||
<li>Commands sent by the client to the server are preceded by <b>---></b></li>
|
||
<li>Command responses from the server over the control connection are
|
||
numbered.<br>
|
||
</li>
|
||
<li>FTP uses a comma as a separator between the bytes of the IP address;
|
||
and</li>
|
||
<li>When sending a port number, FTP sends the MSB then the LSB and separates
|
||
the two bytes by a comma. As shown in the PORT command, port 142,58 translates
|
||
to 142*256+58 = 36410.<br>
|
||
</li>
|
||
|
||
</ol>
|
||
Given the normal loc->net policy of ACCEPT, passive mode access from
|
||
local clients to remote servers will always work but active mode requires
|
||
the firewall to dynamically open a "hole" for the server's connection back
|
||
to the client. Similarly, if you are running an FTP server in your local
|
||
zone then active mode should always work but passive mode requires the firewall
|
||
to dynamically open a "hole" for the client's second connection to the server.
|
||
This is the role of FTP connection-tracking support in the Linux kernel.
|
||
|
||
<div align="left"><br>
|
||
Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is involved,
|
||
the PORT commands and PASV responses may also need to be modified by the
|
||
firewall. This is the job of the FTP nat support kernel function.<br>
|
||
</div>
|
||
|
||
<p>Including FTP connection-tracking and NAT support normally means that the
|
||
modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded. Shorewall automatically
|
||
loads these "helper" modules from /lib/modules/<<i>kernel-version></i>/kernel/net/ipv4/netfilter/
|
||
and you can determine if they are loaded using the 'lsmod' command:<br>
|
||
</p>
|
||
|
||
<blockquote>
|
||
<p>Example:<br>
|
||
</p>
|
||
|
||
<blockquote>
|
||
<pre>[root@lists etc]# lsmod<br>Module Size Used by Not tainted<br>autofs 12148 0 (autoclean) (unused)<br>ipt_TOS 1560 12 (autoclean)<br>ipt_LOG 4120 5 (autoclean)<br>ipt_REDIRECT 1304 1 (autoclean)<br>ipt_REJECT 3736 4 (autoclean)<br>ipt_state 1048 13 (autoclean)<br>ip_nat_irc 3152 0 (unused)<br><b>ip_nat_ftp 3888 0 (unused)</b><br>ip_conntrack_irc 3984 1<br><b>ip_conntrack_ftp 5008 1</b><br>ipt_multiport 1144 2 (autoclean)<br>ipt_conntrack 1592 0 (autoclean)<br>iptable_filter 2316 1 (autoclean)<br>iptable_mangle 2680 1 (autoclean)<br>iptable_nat 20568 3 (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack 26088 5 (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp ipt_conntrack iptable_nat]<br>ip_tables 14488 12 [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat]<br>tulip 42464 0 (unused)<br>e100 50596 1<br>keybdev 2752 0 (unused)<br>mousedev 5236 0 (unused)<br>hid 20868 0 (unused)<br>input 5632 0 [keybdev mousedev hid]<br>usb-uhci 24684 0 (unused)<br>usbcore 73280 1 [hid usb-uhci]<br>ext3 64704 2<br>jbd 47860 2 [ext3]<br>[root@lists etc]#<br></pre>
|
||
</blockquote>
|
||
</blockquote>
|
||
|
||
<blockquote> </blockquote>
|
||
|
||
<p>If you want Shorewall to load these modules from an alternate directory,
|
||
you need to set the MODULESDIR variable in /etc/shorewall/shorewall.conf
|
||
to point to that directory.<br>
|
||
</p>
|
||
|
||
<p>Server configuration is covered in <a href="Documentation.htm#Rules">the
|
||
/etc/shorewall/rules documentation</a>,<br>
|
||
</p>
|
||
|
||
<p>For a client, you must open outbound TCP port 21.<2E><br>
|
||
</p>
|
||
|
||
<p>The above discussion about commands and responses makes it clear that the
|
||
FTP connection-tracking and NAT helpers must scan the traffic on the control
|
||
connection looking for PASV and PORT commands as well as PASV responses. If
|
||
you run an FTP server on a nonstandard port or you need to access such
|
||
a server,<2C> you must therefore let the helpers know by specifying the port
|
||
in /etc/shorewall/modules entries for the helpers. For example, if you
|
||
run an FTP server that listens on port 49 then you would have:<br>
|
||
</p>
|
||
|
||
<blockquote>
|
||
<p>loadmodule ip_conntrack_ftp ports=21,49<br>
|
||
loadmodule ip_nat_ftp ports=21,49<br>
|
||
</p>
|
||
</blockquote>
|
||
|
||
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may
|
||
have problems accessing regular FTP servers.</p>
|
||
|
||
<p>If there is a possibility that these modules might be loaded before Shorewall
|
||
starts, then you should include the port list in /etc/modules.conf:<br>
|
||
</p>
|
||
|
||
<blockquote>
|
||
<p>options ip_conntrack_ftp ports=21,49<br>
|
||
options ip_nat_ftp ports=21,49<br>
|
||
</p>
|
||
</blockquote>
|
||
|
||
<p><b>IMPORTANT: </b>Once you have made these changes to /etc/shorewall/modules
|
||
and/or /etc/modules.conf, you must either:<br>
|
||
</p>
|
||
|
||
<ol>
|
||
<li>Unload the modules and restart shorewall: (<b><font
|
||
color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</font></b>);
|
||
or</li>
|
||
<li>Reboot</li>
|
||
|
||
</ol>
|
||
One problem that I see occasionally involves active mode and the FTP server
|
||
in my DMZ. I see the active data connection <u>to certain client IP addresses</u>
|
||
being continuously rejected by my firewall. It is my conjecture that there
|
||
is some broken client out there that is sending a PORT command that is being
|
||
either missed or mis-interpreted by the FTP connection tracking helper yet
|
||
it is being accepted by my FTP server. My solution is to add the following
|
||
rule:<br>
|
||
|
||
<blockquote>
|
||
<table cellpadding="2" cellspacing="0" border="1">
|
||
<tbody>
|
||
<tr>
|
||
<td valign="top"><b>ACTION<br>
|
||
</b></td>
|
||
<td valign="top"><b>SOURCE<br>
|
||
</b></td>
|
||
<td valign="top"><b>DESTINATION<br>
|
||
</b></td>
|
||
<td valign="top"><b>PROTOCOL<br>
|
||
</b></td>
|
||
<td valign="top"><b>PORT(S)<br>
|
||
</b></td>
|
||
<td valign="top"><b>SOURCE<br>
|
||
PORT(S)<br>
|
||
</b></td>
|
||
<td valign="top"><b>ORIGINAL<br>
|
||
DESTINATION<br>
|
||
</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td valign="top">ACCEPT:info<br>
|
||
</td>
|
||
<td valign="top">dmz<br>
|
||
</td>
|
||
<td valign="top">net<br>
|
||
</td>
|
||
<td valign="top">tcp<br>
|
||
</td>
|
||
<td valign="top">-<br>
|
||
</td>
|
||
<td valign="top">20<br>
|
||
</td>
|
||
<td valign="top"><br>
|
||
</td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
<br>
|
||
</blockquote>
|
||
The above rule accepts and logs all active mode connections from my DMZ
|
||
to the net.<br>
|
||
|
||
<blockquote>
|
||
<p> </p>
|
||
</blockquote>
|
||
|
||
<blockquote> </blockquote>
|
||
|
||
<p><font size="2">Last updated 7/30/2003 - </font><font size="2"> <a
|
||
href="support.htm">Tom Eastep</a></font> </p>
|
||
<a href="copyright.htm"><font size="2">Copyright</font>
|
||
<20> <font size="2">2003 Thomas M. Eastep.</font></a><br>
|
||
<br>
|
||
<br>
|
||
<br>
|
||
</body>
|
||
</html>
|