FIAIF "breaking" WU ftp server's DIR command?
Tue Jan 7 16:38:14 CET 2003
I believe ftp uses 2 ports. You have to specifiy ftp-data (port 20) in
your FIAIF rules as well, unless you use passive ftp which only uses 1
But you say they try passive mode and that fails too. I find that odd. I
would try adding ftp-data (or port 20) first.
Benton Roberts wrote:
>I have been using FIAIF v.1.2.1-1 on RedHat 7.3 for awhile now, and have
>been quite happy with it. However, I recently installed wu-ftpd (on the same
>computer as FIAIF), and discovered a problem with any ftp clients in the
>'EXT' zone. Specifically, they can't use the 'DIR' command to list the files
>on the ftp server. The ftp clients can log in, and can 'CD' to a directory,
>but when a 'DIR' request is issued, my system logs start showing dropped
>packet log entries like the following:
>Jan 7 10:34:16 myhostname kernel: DROP:IN=eth0 OUT=
>DST=<my.host.ip.address> LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=47731 DF
>PROTO=TCP SPT=4719 DPT=44609 WINDOW=32768 RES=0x00 SYN URGP=0
>Here are the relevant configuration lines from my zone.ext file:
>INPUT="ACCEPT tcp www,https,ssh,smtp,imap,993,ftp 0.0.0.0/0=>0.0.0.0/0"
>INPUT="ACCEPT icmp echo-request 0.0.0.0/0=>0.0.0.0/0"
>INPUT="ACCEPT igmp ALL 0.0.0.0/0=>220.127.116.11/4"
>INPUT="DROP ALL ALL 0.0.0.0/0=>0.0.0.0/0"
>As you can see, I added the 'ftp' entry in the first rule, so the initial
>connection works, but the "high-port" (passive-mode?) traffic is being
>trapped by FIAIF. I get several of these packet log messages before the
>client finally reports something like: "Server response: Can't open data
>If I stop FIAIF on the FTP server, all clients can connect just fine. Also,
>the same error occurs whether the FTP clients are using "passive" mode or
>Does anyone know why this occurs and how to fix it?
>Please forgive me if the answer to this question is obvious. I did search
>the archives for this list before posting, but as a relative firewall
>newbie, I may have missed a previous response somewhere.
>Thanks in advance,
>benton at panix.com
>Fiaif mailing list
>Fiaif at fugmann.dhs.org
More information about the fiaif