FIAIF "breaking" WU ftp server's DIR command?

Jason Jorgensen email hidden
Tue Jan 7 16:38:14 CET 2003


I believe ftp uses 2 ports. You have to specifiy ftp-data (port 20) in 
your FIAIF rules as well, unless you use passive ftp which only uses 1 
port.

But you say they try passive mode and that fails too. I find that odd. I 
would try adding ftp-data (or port 20) first.


Benton Roberts wrote:

>Hello, all.
>
>I have been using FIAIF v.1.2.1-1 on RedHat 7.3 for awhile now, and have
>been quite happy with it. However, I recently installed wu-ftpd (on the same
>computer as FIAIF), and discovered a problem with any ftp clients in the
>'EXT' zone. Specifically, they can't use the 'DIR' command to list the files
>on the ftp server. The ftp clients can log in, and can 'CD' to a directory,
>but when a 'DIR' request is issued, my system logs start showing dropped
>packet log entries like the following:
>
>Jan  7 10:34:16 myhostname kernel: DROP:IN=eth0 OUT=
>MAC=00:90:27:de:27:0f:00:e0:1e:5d:f7:7c:08:00 SRC=68.161.91.99
>DST=<my.host.ip.address> LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=47731 DF
>PROTO=TCP SPT=4719 DPT=44609 WINDOW=32768 RES=0x00 SYN URGP=0
>
>Here are the relevant configuration lines from my zone.ext file:
>
>INPUT[0]="ACCEPT tcp www,https,ssh,smtp,imap,993,ftp 0.0.0.0/0=>0.0.0.0/0"
>INPUT[1]="ACCEPT icmp echo-request 0.0.0.0/0=>0.0.0.0/0"
>INPUT[2]="ACCEPT igmp ALL 0.0.0.0/0=>224.0.0.0/4"
>INPUT[3]="DROP ALL ALL 0.0.0.0/0=>0.0.0.0/0"
>
>As you can see, I added the 'ftp' entry in the first rule, so the initial
>connection works, but the "high-port" (passive-mode?) traffic is being
>trapped by FIAIF. I get several of these packet log messages before the
>client finally reports something like: "Server response: Can't open data
>connection".
>
>If I stop FIAIF on the FTP server, all clients can connect just fine. Also,
>the same error occurs whether the FTP clients are using "passive" mode or
>not.
>
>Does anyone know why this occurs and how to fix it?
>
>Please forgive me if the answer to this question is obvious. I did search
>the archives for this list before posting, but as a relative firewall
>newbie, I may have missed a previous response somewhere.
>
>Thanks in advance,
>- benton
>------------
>Benton Roberts
>benton at panix.com
>
>_______________________________________________
>Fiaif mailing list
>Fiaif at fugmann.dhs.org
>https://fiaif.fugmann.dhs.org/mailman/listinfo/fiaif
>
>  
>





More information about the fiaif mailing list