emherman
asked on
RH6.1 masquerade problems
I have a RH6.1 machine that I have configured to be a firewall/Internet gateway... until yesterday.
I installed 6.1, configured it, and it was running well but all of the sudden it won't let me list(ls) directories when I FTP to a remote server. After taking VERY extreme measures, I finally isolated it down to an ipchains line. If I remark it out, Masquerading works great. If I put it in then it seems a little more sluggish, but I lose the "ls" command in an FTP session. That is locally at the machine AND masqueraded from w2000/w98 machines.
The line is: "/sbin/ipchains -i ppp0 -p tcp -y -j DENY"
What is weird is that it used to work... all the way until yesterday.
Can someone either help me configure the machine so this rule will work or help me out to write some rules that will DENY inbound TCP SYN packet yet still enable me to FTP?
I installed 6.1, configured it, and it was running well but all of the sudden it won't let me list(ls) directories when I FTP to a remote server. After taking VERY extreme measures, I finally isolated it down to an ipchains line. If I remark it out, Masquerading works great. If I put it in then it seems a little more sluggish, but I lose the "ls" command in an FTP session. That is locally at the machine AND masqueraded from w2000/w98 machines.
The line is: "/sbin/ipchains -i ppp0 -p tcp -y -j DENY"
What is weird is that it used to work... all the way until yesterday.
Can someone either help me configure the machine so this rule will work or help me out to write some rules that will DENY inbound TCP SYN packet yet still enable me to FTP?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Port 20 should only be listened on by an ftp client awaiting a connection from a server. So most of the time, it should be closed, because there will be nothing listening on it. However, while an ftp client is listening, it is a potential security risk. If it's a concern to you, then you will have to go with a more sophisticated firewall (eg, the new netfilter code in the 2.4 kernel), or restrict yourself to passive mode ftp.
Vijay
Vijay
ASKER