Yum, FTP, NFS & Internal Firewall
Charles Curley
charlescurley at charlescurley.com
Fri Jun 17 12:00:26 MDT 2005
On Fri, Jun 17, 2005 at 10:53:26AM -0600, Bryan Sant wrote:
> On 6/16/05, Charles Curley <charlescurley at charlescurley.com> wrote:
> > If I use system-config-securitylevel to set up a minimum firewall,
> > allowing only SSH, FTP and DNS, DNS works fine. ncftp simply falls
> > back to port instead of passive mode, and continues to work. Yum fails
> > as follows:
>
> Charles, I have your solution.
>
> > -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> Good, you're filtering on the RELATED state.
>
> Just modprobe ip_conntrack_ftp as root and you should be in ship shape.
>
> That kernel module will notice when an FTP PORT request is received
> and realize that the new data port is *related* to your FTP connection
> -- thus ACCEPT.
>
> This will only work for FTP sessions initiated from this server. If
> you're NATing other hosts behind this, then you'll need to look into
> the ip_nat_ftp.ko module.
Bingo. ip_conntrack_ftp != ip_conntrack. Doh.
There's none for nfs (no surprise) but one for Amanda. And others.
locate ip_conntrack_ | less
for more than you want to know.
Thanks.
--
Charles Curley /"\ ASCII Ribbon Campaign
Looking for fine software \ / Respect for open standards
and/or writing? X No HTML/RTF in email
http://www.charlescurley.com / \ No M$ Word docs in email
Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://plug.org/pipermail/plug/attachments/20050617/d5587576/attachment.bin
More information about the PLUG
mailing list