|
Alois Treindl wrote:
>
> On Tue, 8 May 2001, Roberto Nibali wrote:
>
> Roberto
>
> could you do us the favour and present a concrete example
> of the Packetfilter-ruleset
> which you describe abstractly in your post, e.g. as ipchains rules?
I'm not so sure if I should do so, this will maybe causes too much troubles.
It's an excerpt of one rule of our rulebase from our packetfilter:
fw-masq-ftp-active.
# 1. from Client to Server (cmd-channel port unpriv-->21, initiated by
# client; active data channel, port 20-->unpriv, initiated by server)
# Command Channel
# $4 is the fwmark
${IPCHAINS} -A input -j $chain $LOGIN ! -y -p tcp -i $SRCDEV -s $SRC
$SRCPORTS -d $DST 21 -m ${4:-0}
${IPCHAINS} -A input -j $chain $LOG -p tcp -i $SRCDEV -s $SRC $SRCPORTS -d
$DST 21 -m ${4:-0}
# Data Channel
${IPCHAINS} -A input -j $chain $LOGIN ! -y -p tcp -i $SRCDEV -s $SRC
$SRCPORTS -d $DST 20 -m ${4:-0}
#${IPCHAINS} -A input -j $chain $LOG -p tcp -i $SRCDEV -s $SRC $SRCPORTS -d
$DST 20 -m ${4:-0}
# Now control and data packets in the forward-chain get masqueraded.
if [ "$1" = "accept" ]; then
${IPCHAINS} -A forward -j MASQ $LOGFWD -p tcp -i $DSTDEV -s $SRC
$SRCPORTS -d $DST 21 -m ${4:-0}
${IPCHAINS} -A forward -j MASQ $LOGFWD ! -y -p tcp -i $DSTDEV -s $SRC
$SRCPORTS -d $DST 20 -m ${4:-0}
fi
# Now control and data channel in the output-chain.
# Note: In the first rule $SRCPORTS should be replaced by the range of
# ports which is actually used for masquerading by the kernel
${IPCHAINS} -A output -j $chain $LOGOUT -p tcp -i $DSTDEV -s $DSTIF
$SRCPORTS -d $DST 21 -m ${4:-0}
${IPCHAINS} -A output -j $chain $LOGOUT ! -y -p tcp -i $DSTDEV -s $DSTIF
$SRCPORTS -d $DST 20 -m ${4:-0}
# 2. From Server to Client.
# Note: In all rules $SRCPORTS should be replaced by the range of
# ports which is actually used by the kernel for masquerading
${IPCHAINS} -A input -j $chain $LOGIN ! -y -p tcp -i $DSTDEV -s $DST 21 -d
$DSTIF $SRCPORTS -m ${4:-0}
${IPCHAINS} -A input -j $chain $LOGIN ! -y -p tcp -i $DSTDEV -s $DST 20 -d
$DSTIF $SRCPORTS -m ${4:-0}
${IPCHAINS} -A input -j $chain $LOG -p tcp -i $DSTDEV -s $DST 20 -d $DSTIF
$SRCPORTS -m ${4:-0}
# Here no forwarding rules are needed since this is handled by the
# masquerading module (the "demasquerading")
${IPCHAINS} -A output -j $chain $LOGOUT ! -y -p tcp -i $SRCDEV -s $DST 21
-d $SRC $SRCPORTS -m ${4:-0}
${IPCHAINS} -A output -j $chain $LOGOUT -p tcp -i $SRCDEV -s $DST 20 -d
$SRC $SRCPORTS -m ${4:-0}
> I also don't understand what is meant by the sentence
> "Probably the best
> way would be to add a script which only handles the client-side and to
> add each ftp-server seperately with a "tcp@fw"-rule."
Oups, I should have cut that out. We have internal names for our packetfilter
scripts.
This one means: accept tcp tcpports from firewall to a netentity. In realworld
it
would look like
fw-tcp@fw accept $NETENTITY $PORTS which expands in a big set of ipchains rules.
The opposite would be fw-tcp2fw which addresses the tcp traffic coming to the
fw.
> Or will I find it in the ftp_proxy documentation?
No, I made the mistake by not erasing it out of the documentation.
Sorry for the confusion and best regards,
Roberto Nibali, ratz
--
mailto: `echo NrOatSz@xxxxxxxxx | sed 's/[NOSPAM]//g'`
|
