Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
ftp active/passive + iptables firewall (the old/new story)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ddaas
Tux's lil' helper
Tux's lil' helper


Joined: 28 Feb 2005
Posts: 106
Location: Germany

PostPosted: Fri Mar 24, 2006 12:51 pm    Post subject: ftp active/passive + iptables firewall (the old/new story) Reply with quote

I thought everything was clear regarding active and passive ftp.
But...
On my server, there are cca 200 accounts. Ftp-Server is PureFTP. Iptables has the DROP Policy.

Firewall rules regarding FTP are:

Code:
   
##ALLOW inbout TCP connections
###FTP
iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED  -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
#active
iptables -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
#pasive
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT


When the firewall is stopped everyone cound connect to the ftp server (most of them both passive and active).
When I start the firewall, some users can connect and other can't. Those that can't have tried both passive and active with a lot of clients (TotalCommander, IE Browser, etc). The result is the same: from the client side authentication is done, but it get stuck at the list command.

From the server side here is the sniffed traffic:
Quote:

18:09:07.928076 IP X.X.224.58.2941 > Y.Y.112.116.21: S 3038002036:3038002036(0) win 16384 <mss 1460,nop,nop,sackOK>
18:09:07.928156 IP Y.Y.112.116.21 > X.X.224.58.2941: S 3102450479:3102450479(0) ack 3038002037 win 5840 <mss 1460,nop,nop,sackOK>
18:09:07.937680 IP X.X.224.58.2941 > Y.Y.112.116.21: . ack 1 win 17520
18:09:07.938718 IP Y.Y.112.116.21 > X.X.224.58.2941: P 1:311(310) ack 1 win 5840
18:09:07.955635 IP X.X.224.58.2941 > Y.Y.112.116.21: P 1:15(14) ack 311 win 17210
18:09:07.955674 IP Y.Y.112.116.21 > X.X.224.58.2941: . ack 15 win 5840
18:09:07.955795 IP Y.Y.112.116.21 > X.X.224.58.2941: P 311:351(40) ack 15 win 5840
18:09:07.975637 IP X.X.224.58.2941 > Y.Y.112.116.21: P 15:35(20) ack 351 win 17170
18:09:08.017050 IP Y.Y.112.116.21 > X.X.224.58.2941: . ack 35 win 5840
18:09:08.047380 IP Y.Y.112.116.21 > X.X.224.58.2941: P 351:443(92) ack 35 win 5840
18:09:08.075831 IP X.X.224.58.2941 > Y.Y.112.116.21: P 35:40(5) ack 443 win 17078
18:09:08.075875 IP Y.Y.112.116.21 > X.X.224.58.2941: . ack 40 win 5840
18:09:08.075984 IP Y.Y.112.116.21 > X.X.224.58.2941: P 443:477(34) ack 40 win 5840
18:09:08.183542 IP X.X.224.58.2941 > Y.Y.112.116.21: P 40:48(8) ack 477 win 17044
18:09:08.183699 IP Y.Y.112.116.21 > X.X.224.58.2941: P 477:500(23) ack 48 win 5840
18:09:08.204473 IP X.X.224.58.2941 > Y.Y.112.116.21: P 48:55(7) ack 500 win 17021
18:09:08.204625 IP Y.Y.112.116.21 > X.X.224.58.2941: P 500:532(32) ack 55 win 5840
18:09:08.222579 IP X.X.224.58.2941 > Y.Y.112.116.21: P 55:61(6) ack 532 win 16989
18:09:08.222814 IP Y.Y.112.116.21 > X.X.224.58.2941: P 532:583(51) ack 61 win 5840
18:09:08.250190 IP X.X.224.58.2942 > Y.Y.112.116.5789: S 1732947833:1732947833(0) win 16384 <mss 1460,nop,nop,sackOK>
18:09:08.255633 IP X.X.224.58.2941 > Y.Y.112.116.21: P 61:71(10) ack 583 win 16938
18:09:08.297045 IP Y.Y.112.116.21 > X.X.224.58.2941: . ack 71 win 5840
18:09:11.220281 IP X.X.224.58.2942 > Y.Y.112.116.5789: S 1732947833:1732947833(0) win 16384 <mss 1460,nop,nop,sackOK>
18:09:17.242436 IP X.X.224.58.2942 > Y.Y.112.116.5789: S 1732947833:1732947833(0) win 16384 <mss 1460,nop,nop,sackOK>
18:09:38.263437 IP X.X.224.58.2941 > Y.Y.112.116.21: P 71:77(6) ack 583 win 16938
18:09:38.263452 IP Y.Y.112.116.21 > X.X.224.58.2941: . ack 77 win 5840
18:09:38.268815 IP X.X.224.58.2941 > Y.Y.112.116.21: R 77:77(0) ack 583 win 0
18:09:48.284028 IP X.X.224.58.2945 > Y.Y.112.116.21: S 2203251465:2203251465(0) win 16384 <mss 1460,nop,nop,sackOK>
18:09:48.284058 IP Y.Y.112.116.21 > X.X.224.58.2945: S 3143871223:3143871223(0) ack 2203251466 win 5840 <mss 1460,nop,nop,sackOK>
18:09:48.296823 IP X.X.224.58.2945 > Y.Y.112.116.21: . ack 1 win 17520
18:09:48.325060 IP Y.Y.112.116.21 > X.X.224.58.2945: P 1:311(310) ack 1 win 5840
18:09:48.348262 IP X.X.224.58.2945 > Y.Y.112.116.21: P 1:15(14) ack 311 win 17210
18:09:48.348288 IP Y.Y.112.116.21 > X.X.224.58.2945: . ack 15 win 5840
18:09:48.371539 IP Y.Y.112.116.21 > X.X.224.58.2945: P 311:351(40) ack 15 win 5840
18:09:48.391287 IP X.X.224.58.2945 > Y.Y.112.116.21: P 15:35(20) ack 351 win 17170
18:09:48.432157 IP Y.Y.112.116.21 > X.X.224.58.2945: . ack 35 win 5840
18:09:48.469318 IP Y.Y.112.116.21 > X.X.224.58.2945: P 351:443(92) ack 35 win 5840
18:09:48.489535 IP X.X.224.58.2945 > Y.Y.112.116.21: P 35:43(8) ack 443 win 17078
18:09:48.489568 IP Y.Y.112.116.21 > X.X.224.58.2945: . ack 43 win 5840
18:09:48.489732 IP Y.Y.112.116.21 > X.X.224.58.2945: P 443:466(23) ack 43 win 5840
18:09:48.516826 IP X.X.224.58.2945 > Y.Y.112.116.21: P 43:50(7) ack 466 win 17055
18:09:48.516983 IP Y.Y.112.116.21 > X.X.224.58.2945: P 466:498(32) ack 50 win 5840
18:09:48.539399 IP X.X.224.58.2945 > Y.Y.112.116.21: P 50:56(6) ack 498 win 17023
18:09:48.539520 IP Y.Y.112.116.21 > X.X.224.58.2945: P 498:550(52) ack 56 win 5840
18:09:48.557060 IP X.X.224.58.2946 > Y.Y.112.116.63594: S 2627361435:2627361435(0) win 16384 <mss 1460,nop,nop,sackOK>
18:09:48.562596 IP X.X.224.58.2945 > Y.Y.112.116.21: P 56:66(10) ack 550 win 16971
18:09:48.6048X.IP Y.Y.112.116.21 > X.X.224.58.2945: . ack 66 win 5840
18:09:51.451X. IP X.X.224.58.2946 > Y.Y.112.116.63594: S 2627361435:2627361435(0) win 16384 <mss 1460,nop,nop,sackOK>
18:09:57.471852 IP X.X.224.58.2946 > Y.Y.112.116.63594: S 2627361435:2627361435(0) win 16384 <mss 1460,nop,nop,sackOK>


The logs from fure-ftp in debugging mode:
Code:
Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [INFO] New connection from X.X.224.58
Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 220---------- Welcome to Pure-FTPd [TLS] ----------
Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 220-You are user number 2 of 50 allowed.
Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 220-Local time is now 18:09. Server port: 21.
Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 220-This is a private system - No anonymous login
Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 220-IPv6 connections are also welcome on this server.
Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 220 You will be disconnected after 15 minutes of inactivity.
Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] Command [user] [useruser]
Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] 331 User useruser OK. Password required
Mar 23 18:09:07 host1 pure-ftpd: (?@X.X.224.58) [DEBUG] Command [pass] [<*>]
Mar 23 18:09:08 host1 pure-ftpd: (?@X.X.224.58) [INFO] useruser is now logged in
Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] 230-User useruser has group access to:  useruser
Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] 230 OK. Current restricted directory is /
Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] Command [pwd] []
Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] 257 "/" is your current location
Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] Command [type] [A]
Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] 200 TYPE is now ASCII
Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] Command [cwd] [/]
Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] 250 OK. Current directory is /
Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] Command [pasv] []
Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] 227 Entering Passive Mode (Y,25,112,116,22,157)
Mar 23 18:09:08 host1 pure-ftpd: (useruser@X.X.224.58) [DEBUG] Command [list] [-al]



Thanks a lot for your help.
I really don't know what else to do...
_________________
Best regards,
ddaas
Back to top
View user's profile Send private message
Jerem
Apprentice
Apprentice


Joined: 11 Jun 2004
Posts: 177

PostPosted: Sun May 28, 2006 12:39 pm    Post subject: Reply with quote

Try :

Code:
modprobe ip_conntrack_ftp
Back to top
View user's profile Send private message
urcindalo
l33t
l33t


Joined: 08 Feb 2005
Posts: 623
Location: Almeria, Spain

PostPosted: Fri May 25, 2007 8:46 am    Post subject: Re: ftp active/passive + iptables firewall (the old/new stor Reply with quote

ddaas wrote:
When the firewall is stopped everyone cound connect to the ftp server (most of them both passive and active).
When I start the firewall, some users can connect and other can't. Those that can't have tried both passive and active with a lot of clients (TotalCommander, IE Browser, etc). The result is the same: from the client side authentication is done, but it get stuck at the list command.


I have exactly the same problem, except I'm the only user in my server: if iptables is stopped, no problem. If started, no directory listing.

My ftp iptables rules are exactly like yours:
Code:
##ALLOW inbout TCP connections
###FTP
-A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED  -j ACCEPT
-A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
#active
-A INPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
#pasive
-A INPUT -p tcp --sport 1024: --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT


And this is the output of "iptables -L -n":
Code:
# Generated by iptables-save v1.3.4 on Wed Mar 22 22:31:27 2006
*raw
:PREROUTING ACCEPT [46975:14020864]
:OUTPUT ACCEPT [39597:4677724]
COMMIT
# Completed on Wed Mar 22 22:31:27 2006
# Generated by iptables-save v1.3.4 on Wed Mar 22 22:31:27 2006
*nat
:PREROUTING ACCEPT [1634:298393]
:POSTROUTING ACCEPT [593:47528]
:OUTPUT ACCEPT [593:47528]
COMMIT
# Completed on Wed Mar 22 22:31:27 2006
# Generated by iptables-save v1.3.4 on Wed Mar 22 22:31:27 2006
*mangle
:PREROUTING ACCEPT [46975:14020864]
:INPUT ACCEPT [46658:13963678]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [39597:4677724]
:POSTROUTING ACCEPT [39812:4711878]
COMMIT

*filter
:INPUT ACCEPT [5:5903]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1023:595387635]

# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT

# para VMware red local
-A INPUT -s 192.168.123.128/25 -j ACCEPT
-A OUTPUT -s 192.168.123.128/25 -j ACCEPT
-A INPUT -s 192.168.67.128/25 -j ACCEPT
-A OUTPUT -s 192.168.67.128/25 -j ACCEPT

# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

###FTP
-A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED  -j ACCEPT
-A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
#active
-A INPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
#pasive
-A INPUT -p tcp --sport 1024: --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT

# Windows / Samba
-A INPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT

# VNC
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1417:1420 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5900:5902 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 5900:5902 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5800:5802 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 5800:5802 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5500:5502 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 5500:5502 -j ACCEPT

# reject everything else
-A INPUT -j REJECT --reject-with icmp-port-unreachable

COMMIT
# Completed on Wed Mar 22 22:31:27 2006


The wierd thing is everything was working OK up until a month or so, but I've changed nothing in my iptables rules.

Any clue? Maybe a kernel thing? I update my kernel by issuing a "make oldconfig" over the previous .config file. This is my current .config file FTP config:
Code:
/usr/src/linux $ cat .config | grep FTP
CONFIG_NF_CONNTRACK_FTP=m
# CONFIG_NF_CONNTRACK_TFTP is not set
CONFIG_NF_NAT_FTP=m
# CONFIG_NF_NAT_TFTP is not set


Thanks in advance.
Back to top
View user's profile Send private message
mudrii
l33t
l33t


Joined: 26 Jun 2003
Posts: 789
Location: Singapore

PostPosted: Fri May 25, 2007 9:58 am    Post subject: Reply with quote

Problem is not only in your firewall is in your pure-ftp configuration.
As I recall for example to use passive ftp you should specify exact ports range and if you are behind firewall not iptables but adsl cable modem you should forward the port and use -N switch for NAT compatibility
if it is you first ftp set read
http://download.pureftpd.org/pub/pure-ftpd/doc/README
_________________
www.gentoo.ro
Back to top
View user's profile Send private message
urcindalo
l33t
l33t


Joined: 08 Feb 2005
Posts: 623
Location: Almeria, Spain

PostPosted: Fri May 25, 2007 9:38 pm    Post subject: Reply with quote

Well, I solved the problem, or at least I'm able to connect again to my ftp server.

Firstly, I noticed a few of the kernel options that are recommended to be ON when configuring the network stuff were OFF (maybe due to the "make oldconfig" applied from 2.6.19-rX to 2.6.20-rX).

Secondly, I slightly changed my ftp rules in /etc/iptables.conf from what appears in my previous message in this thread to this:
Code:
###FTP
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 21  -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --sport 21 -j ACCEPT
#active
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -m tcp --sport 20 -j ACCEPT
#pasive
-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 1024: --dport 1024: -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --sport 1024: --dport 1024: -j ACCEPT


After all this I can connect using passive mode from a Mac OS X ftp client to my Gentoo ftp server ;)

In case anyone in interested, here is the IP config in my running kernel:
Code:
CONFIG_SYSVIPC=y
# CONFIG_IPC_NS is not set
CONFIG_SYSVIPC_COMPAT=y
# CONFIG_IP_MULTICAST is not set
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_ASK_IP_FIB_HASH=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
# CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_NET_IPIP=m
# CONFIG_NET_IPGRE is not set
CONFIG_INET_IPCOMP=y
# IP: Virtual Server Configuration
# CONFIG_IP_VS is not set
CONFIG_IPV6=y
# CONFIG_IPV6_PRIVACY is not set
# CONFIG_IPV6_ROUTER_PREF is not set
CONFIG_INET6_IPCOMP=y
# CONFIG_IPV6_MIP6 is not set
CONFIG_IPV6_SIT=y
CONFIG_IPV6_TUNNEL=y
CONFIG_IPV6_MULTIPLE_TABLES=y
# CONFIG_IPV6_SUBTREES is not set
# CONFIG_IP_NF_CONNTRACK_SUPPORT is not set
# CONFIG_NF_CONNTRACK_SIP is not set
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
# IP: Netfilter Configuration
CONFIG_NF_CONNTRACK_IPV4=m
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_AH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_OWNER=y
CONFIG_IP_NF_MATCH_ADDRTYPE=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
# CONFIG_NF_NAT_SIP is not set
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_TTL=y
CONFIG_IP_NF_RAW=y
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y
# IPv6: Netfilter Configuration (EXPERIMENTAL)
CONFIG_NF_CONNTRACK_IPV6=m
# CONFIG_IP6_NF_QUEUE is not set
CONFIG_IP6_NF_IPTABLES=y
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP_DCCP=m
CONFIG_IP_DCCP_ACKVEC=y
CONFIG_IP_DCCP_CCID2=m
# CONFIG_IP_DCCP_CCID2_DEBUG is not set
CONFIG_IP_DCCP_CCID3=m
CONFIG_IP_DCCP_TFRC_LIB=m
# CONFIG_IP_DCCP_CCID3_DEBUG is not set
CONFIG_IP_DCCP_CCID3_RTO=100
# CONFIG_IP_DCCP_DEBUG is not set
CONFIG_IP_SCTP=m
# TIPC Configuration (EXPERIMENTAL)
# CONFIG_TIPC is not set
CONFIG_IPX=m
CONFIG_IPX_INTERN=y
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_IEEE80211_CRYPT_TKIP=m
# CONFIG_SCSI_IPS is not set
CONFIG_SCSI_IZIP_EPP16=y
# CONFIG_SCSI_IZIP_SLOW_CTR is not set
# CONFIG_SCSI_IPR is not set
CONFIG_MD_MULTIPATH=m
# CONFIG_DM_MULTIPATH is not set
CONFIG_IEEE1394_CONFIG_ROM_IP1394=y
# CONFIG_NET_TULIP is not set
CONFIG_STRIP=m
# CONFIG_IPW2100 is not set
# CONFIG_IPW2200 is not set
# CONFIG_HIPPI is not set
# CONFIG_PLIP is not set
# CONFIG_SLIP is not set
# CONFIG_SERIO_PCIPS2 is not set
# CONFIG_TIPAR is not set
# IPMI
# CONFIG_IPMI_HANDLER is not set
# CONFIG_I2C_DEBUG_CHIP is not set
# CONFIG_HWMON_DEBUG_CHIP is not set
CONFIG_VIDEO_HELPER_CHIPS_AUTO=y
# CONFIG_VIDEO_OVCAMCHIP is not set
# CONFIG_USB_AIPTEK is not set
# CONFIG_EXT2_FS_XIP is not set
CONFIG_CRYPTO_BLKCIPHER=y
Back to top
View user's profile Send private message
sschlueter
Guru
Guru


Joined: 26 Jul 2002
Posts: 578
Location: Dortmund, Germany

PostPosted: Fri May 25, 2007 10:59 pm    Post subject: Reply with quote

This configuration is not secure. You should either use the ftp conntrack/nat module or use a reverse ftp proxy.
Back to top
View user's profile Send private message
urcindalo
l33t
l33t


Joined: 08 Feb 2005
Posts: 623
Location: Almeria, Spain

PostPosted: Sat May 26, 2007 6:47 am    Post subject: Reply with quote

I know :)

But it is when combined with the excellent blacklist script to get rid of brute force attempts to enter my box (ssh, ftp...). Every week the script bans like a dozen or so IP addresses 8O
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum