|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Andreas Bittner (bittner_at_stud.fh-heilbronn.de)
Date: Sat Sep 07 2002 - 16:43:51 CDT
All right,
hello again,
i have found chapter 11 in the /etc/sysconfig/SuSEfirewall2 config file.
# 11.)
# How is access allowed to high (unpriviliged [above 1023]) ports?
#
# You may either allow everyone from anyport access to your highports ("yes"),
# disallow anyone ("no"), anyone who comes from a defined port (portnumber or
# known portname) [note that this is easy to circumvent!], or just your
# defined nameservers ("DNS").
# Note that you can't use rpc requests (e.g. rpcinfo, showmount) as root
# from a firewall using this script (well, you can if you include range
# 600:1023 in FW_SERVICES_EXT_UDP ...).
# Please note that with v2.1 "yes" is not mandatory for active FTP from
# the firewall anymore.
#
# Choice: "yes", "no", "DNS", portnumber or known portname, defaults to "no"
# if not set
#
# Common: "ftp-data", better is "yes" to be sure that everything else works :-(
#FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"
# Common: "DNS" or "domain ntp", better is "yes" to be sure ...
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
and have added the
FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"
line and now it works all right...
i wonder why the behaviour of a squid ftp connection is different from a direct ftp client connection on the squid/suse8 box itself... i guess i am not into the details of the related connections stuff...
Thanks anyways,
Andy
----- Original Message -----
From: "Andreas Bittner" <bittner
stud.fh-heilbronn.de>
To: <suse-securitysuse.com>
Sent: Saturday, September 07, 2002 11:24 PM
Subject: [suse-security] cant do ftp through squid (susefirewall2 problem with high ports??)
Hello all,
i dont know how to make susefirewall2 work on a suse8 box running squid when trying to ftp with the squid proxy.
these are my logs for example:
Sep 7 23:17:58 box kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=212.123.225.148 DST=XXX.X.XXX.XX LEN=48 TOS=0x08 PREC=0x00 TTL=113 ID=55284 DF PROTO=TCP SPT=20 DPT=10269 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Sep 7 23:18:01 box kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=212.123.225.148 DST=XXX.X.XXX.XX LEN=48 TOS=0x08 PREC=0x00 TTL=113 ID=56412 DF PROTO=TCP SPT=20 DPT=10269 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Sep 7 23:18:08 box kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=212.123.225.148 DST=XXX.X.XXX.XX LEN=48 TOS=0x08 PREC=0x00 TTL=113 ID=58314 DF PROTO=TCP SPT=20 DPT=10269 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
seems that my connection from the susefirewall2/squid box to the ftp server outside (here ftp.asuscom.de) gets replied to a high port 10260 on my box for the dataconnection (port20) ... what is the proper settings for susefirewall2 to accept this connection (its actually a related connection isnt it?) why doesnt susefirewall/conntrack_ftp or something catch/accept this when the squid is trying to access ftp servers on the inet?
i can ftp directly without the squid from the inside lan without any problems, and an ftp client directly on the suse8/squid box can also ftp without problems. only the squid when it wants to connect to ftp sites comes up with these errors and wont connect....
what am i doing wrong? does my squid needs reconfiguring?
thanks for any help.
cheers,
Andy
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]