Yum, FTP, NFS & Internal Firewall

Charles Curley charlescurley at charlescurley.com
Fri Jun 17 12:00:26 MDT 2005


On Fri, Jun 17, 2005 at 10:53:26AM -0600, Bryan Sant wrote:
> On 6/16/05, Charles Curley <charlescurley at charlescurley.com> wrote:
> > If I use system-config-securitylevel to set up a minimum firewall,
> > allowing only SSH, FTP and DNS, DNS works fine. ncftp simply falls
> > back to port instead of passive mode, and continues to work. Yum fails
> > as follows:
> 
> Charles, I have your solution.
> 
> > -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> Good, you're filtering on the RELATED state.
> 
> Just modprobe ip_conntrack_ftp as root and you should be in ship shape.
> 
> That kernel module will notice when an FTP PORT request is received
> and realize that the new data port is *related* to your FTP connection
> -- thus ACCEPT.
> 
> This will only work for FTP sessions initiated from this server.  If
> you're NATing other hosts behind this, then you'll need to look into
> the ip_nat_ftp.ko module.

Bingo. ip_conntrack_ftp != ip_conntrack. Doh.

There's none for nfs (no surprise) but one for Amanda. And others.

locate ip_conntrack_ | less

for more than you want to know.

Thanks.

-- 

Charles Curley                  /"\    ASCII Ribbon Campaign
Looking for fine software       \ /    Respect for open standards
and/or writing?                  X     No HTML/RTF in email
http://www.charlescurley.com    / \    No M$ Word docs in email

Key fingerprint = CE5C 6645 A45A 64E4 94C0  809C FFF6 4C48 4ECD DFDB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://plug.org/pipermail/plug/attachments/20050617/d5587576/attachment.bin 


More information about the PLUG mailing list