[Shorewall-users] ftp works in a strange way.....or....

Goetz Reinicke goetz.reinicke@filmakademie.de
Sat, 27 Apr 2002 09:53:43 +0100


Paul Gear wrote:
> Goetz Reinicke wrote:
> 
> 
>>...
>>I added IP_FORWARDING="on" in the shorewall.conf and have the following
>>rules for ftp:
>>
>>ACCEPT  fw      net             tcp     ftp
>>ACCEPT  fw      local           tcp     ftp
>>
>>So can anynone explain to me, why my ftp clients are allowed to connenct
>>to ftp-servers at the internet??
> 
> 
> What is your loc -> net policy?  If it's accept, then they can get there
> without needing any rules.

:-) RTFM *bangingheadagainstthewall*

default rule:

local           net             ACCEPT

So that means also, as I have enabled IP_FORWARDING, I have to disable 
some services and ports I dont want by special rule in the rule file!? 
(e.g. news)

BTW:

In my rule-file I have rules like:

ACCEPT  local:172.17.20.40      net     udp     ntp
ACCEPT  local:172.17.1.251      net     tcp     domain
ACCEPT  local:172.17.1.251      net     udp     domain

so with the default policy in mind, are dns requests rejected from other 
hosts to the Internet, or do I have to add a rule like

DROP   local   net   udp   ntp,domain
DROP   local   net   tcp   domain

Thanks for help.

cu...
...Götz


- Götz Reinicke -------------------- mailto: greinick@filmakademie.de -
   IT Koordinator                                   Tel: 07141/969-420
   IT-OfficeNet Filmakademie Baden-Württemberg    Fax: 07141/969-55420
- Mathildenstr. 20, 71638 Ludwigsburg ----------- www.filmakademie.de -