firewall question

Jessica Zhu jessica at mathforum.org
Thu May 12 18:46:43 UTC 2005


On Thu, 12 May 2005, Marco A. Ramos wrote:

> As you say you have two options:
> 
> a) To force all users, to work as nonpasive method (Remenber open the data
> port (tcp/20)

That's what I already did.

-A input -s xxx.xxx.xx.0/24 -d 0/0 20 -p tcp -y -j ACCEPT

> 
> b) Enable the Passive method on your firewall, to made it, you have to
> determine some port in your ftp server, this mean, that your ftp server must
> to use an especific range of ports (for example 50000-50500) and then open
> that range in your firewall. Other point it to consider that the FTP server
> will send ip own IP address, for the passive connection.

Then the question is how to let ftp server know to use the specific range 
of ports. We use wu-ftpd-2.6.1-20.

For "send ip own IP address", do you mean that I just include their ip in 
the firewall and trust that ip?

Jessica


> 
> Good Luck
> 
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com]On Behalf Of Bartosz Brewinski
> Sent: Thursday, 12 May, 2005 11:30 AM
> To: redhat-list at redhat.com
> Subject: Odp: firewall question
> 
> 
> Maybe "BBedit" is not configured (or can't be) for passive ftp while the
> other ftp clients used in the office are using passive ftp connections ?
> 
> Maybe it would be sufficient to persuade BBedit to use passive connection
> method ?
> 
> Hope this helps.
> 
> bartek
> 
> >>> jessica at mathforum.org 2005-05-12 20:21 >>>
> Hi,
> 
> I set up the firewall on an old linux(7.1) server using ipchains which
> allows ftp within our network. After the firewall up, some users in the
> office who using Bbedit on Macintosh complained that they cannot ftp to
> the server any more although there is no problem to use other ftp
> programs.
> 
> My final solution is to trust the ips from those users using BBedit and
> accept all from them. However, I thought this is not the best and secure
> solution. Just wondering whether anybody on the list can help me figure
> out the better solution.
> 
> Thanks!
> 
> Jessica
> 
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> 
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> 




More information about the redhat-list mailing list