[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Am I too dull for ftp-proxy ?



I specified the settings accourding to your mail to the external interface.
Did not help.
Then I made the block rule log the packets, and, guess what, the return
connection after
issuing an "ls" on an ftp connection tries to connect back to my firewall on
a port > 60000;
that sound like the default port range as stated in the ftp-proxy manual.
Then I added a rule to allow connection above port  >49151, and it worked.
So,I guess that something with my inetd.conf line is not correct, as I
thought to have specified
the port range explicitly.
That line was :
127.0.0.1:8081 stream tcp nowait root /usr/libexec/ftp-proxy -m 12000 -M
14000 -t 300
and, an earlier try :
127.0.0.1:8081 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -m
12000 -M 14000 -t 300
Thx in advance
----- Original Message -----
From: "Daniel Hartmeier" <[email protected]>
To: "Stefan Sonnenberg-Carstens" <[email protected]>
Sent: Wednesday, December 04, 2002 11:56 AM
Subject: Re: Am I too dull for ftp-proxy ?
> On Wed, Dec 04, 2002 at 11:41:57AM +0100, Stefan Sonnenberg-Carstens
wrote:
>
> > I thought that there is no need to explicitly specify the device to
> > filtering on.
>
> You don't have to specify 'on <if>' in a filter rule, it's optional. If
> you don't specify the interface the rule should apply to, it will apply
> to all interfaces.
>
>   pass in on xl0 from any to any port 25
>     applies only to packets that pass through xl0
>   pass in from any to any port 25
>     applies to all packets, passing through all interfaces
>
> > Doesn't the kernel know where the packets have to go, or come from ?
>
> No.
>
> > The other way arround : Is it always better to specify the NIC, that
seems
> > to be an important
> > point for the webmin module I'm writing, if it matters.
>
> If it's clear that a rule should always apply to packets on one specific
> interface, yes, it's better to specify that interface in the rule.
>
> Most people filter only on a single (external) interface and pass all
> packets on all other interfaces.
>
> If you have a three-legged firewall, you might want to filter on the
> different internal interfaces as well, you basically define a filtering
> policy for each interface.
>
> > Might this have impacts on performance, if one does not ?
>
> Performance is not a real issue, the question is whether the rule set
> implements a filtering policy correctly. If you mean to filter on only
> one interface, but your rules apply to all of them, that's just a
> mistake.
>
> It's almost always a mistake to filter on lo0.
>
> Daniel
>
>