FIAIF "breaking" WU ftp server's DIR command?

Benton Roberts email hidden
Tue Jan 7 16:31:22 CET 2003


Hello, all.

I have been using FIAIF v.1.2.1-1 on RedHat 7.3 for awhile now, and have
been quite happy with it. However, I recently installed wu-ftpd (on the same
computer as FIAIF), and discovered a problem with any ftp clients in the
'EXT' zone. Specifically, they can't use the 'DIR' command to list the files
on the ftp server. The ftp clients can log in, and can 'CD' to a directory,
but when a 'DIR' request is issued, my system logs start showing dropped
packet log entries like the following:

Jan  7 10:34:16 myhostname kernel: DROP:IN=eth0 OUT=
MAC=00:90:27:de:27:0f:00:e0:1e:5d:f7:7c:08:00 SRC=68.161.91.99
DST=<my.host.ip.address> LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=47731 DF
PROTO=TCP SPT=4719 DPT=44609 WINDOW=32768 RES=0x00 SYN URGP=0

Here are the relevant configuration lines from my zone.ext file:

INPUT[0]="ACCEPT tcp www,https,ssh,smtp,imap,993,ftp 0.0.0.0/0=>0.0.0.0/0"
INPUT[1]="ACCEPT icmp echo-request 0.0.0.0/0=>0.0.0.0/0"
INPUT[2]="ACCEPT igmp ALL 0.0.0.0/0=>224.0.0.0/4"
INPUT[3]="DROP ALL ALL 0.0.0.0/0=>0.0.0.0/0"

As you can see, I added the 'ftp' entry in the first rule, so the initial
connection works, but the "high-port" (passive-mode?) traffic is being
trapped by FIAIF. I get several of these packet log messages before the
client finally reports something like: "Server response: Can't open data
connection".

If I stop FIAIF on the FTP server, all clients can connect just fine. Also,
the same error occurs whether the FTP clients are using "passive" mode or
not.

Does anyone know why this occurs and how to fix it?

Please forgive me if the answer to this question is obvious. I did search
the archives for this list before posting, but as a relative firewall
newbie, I may have missed a previous response somewhere.

Thanks in advance,
- benton
------------
Benton Roberts
benton at panix.com




More information about the fiaif mailing list