Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [suse-security] Re: SuSEfirewall2 and Active ftp
From: André Sänger (Andre.Saengergmx.de)
Date: Thu Aug 14 2003 - 08:56:07 CDT
Friday, July 18, 2003, 3:47:30 PM, you wrote:
>> > I do not understand why this allows masqueraded clients to access
>> > active FTP resources. Well, without masq I think the "RELEATED"
>> > option of iptables does the trick.
>> It does ( if ip_conntrack_ftp is loaded )
>> Active FTP may go beyond the scope of the SuSEfirewall2 tool. It's
>> just an assumption. I never used SuSEfirewall2.
>> Is it an option for you to use iptables without that SuSE tool?
> Why do you not take a look at Shorewall you can mix iptable commands with
> simple easy type rules. You can find it at http://www.shorewall.net/
I wanted to keep it simple and so use the SuSE supplied script which
is already working on two other setups (which are not that complex as
in this case). Shorewall may be an option, but I´m still curious what
this flags thing is for:
Rule created by SuSEfirewall2 which does _not_ work with unmasqued
0 ACCEPT tcp -- * * 192.168.0.1
10.1.1.1 state RELATED,ESTABLISHED tcp spt:20 flags:!0x16/0x02
A rule without the "flags:!0x16/0x02" part does the job. Maybe you can
point me to some howto what this flags things are and why they are
used by SuSEfirewall2 by default?
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here