shorewall & ftpd

[Guest copex]

hi

 

i have mdk9 running shorewall, ive opend port 20 & 21 on network and local zones, i have proftpd runing. i can connect to proftpd wia the local lan, but when i try to connect to the ftp server over the internet i get...

 

500 Sorry, no server available to handle request on 111.111.111.111 (my ip)

 

anyone have any iders how to fix this ??

 

scott

[onurb]

Try these commands:

su

password

shorewall restart

[Guest copex]

Try these commands:

su

password

shorewall restart

 

thanks for the tip, i stoped shorewall in services and then restarted it, so i presume it would do the same thing.

 

all the best

[MottS]

I you want it to be opened on your lan and net then open the Mandrake Control Center (MCC) and clic Security->Firewall. Now clic the 'Advanced' button and enter '20/tcp 21/tcp'. Now clic the 'OK' button. That should do the trick.

 

Hope this help

 

MOttS

[Guest copex]

I you want it to be opened on your lan and net then open the Mandrake Control Center (MCC) and clic Security->Firewall.  Now clic the 'Advanced' button and enter '20/tcp 21/tcp'.  Now clic the 'OK' button.  That should do the trick.

 

Hope this help

 

MOttS

 

hi

 

thankyou for the responce, i have port 20,21 in shorewall rules, if i go to grc.com and do a port test it show ftp port 21 is open.

 

port 21 is open, it just wont connect to proftpd.

 

all the best

[Michel]

I have not yet set up a server, but I've set up shorewall for myself a little bit manually. (This is by the way much more powerfull):

 

I think this could help:

 

Add in rules:

 

ACCEPT net fw ftp 20,21 -

 

Maybe you also have to add:

 

ACCEPT fw (zone where rour ftp-server is located) ftp 20,21 -

 

I don't know yet a lot about shorewall but hopefully this helps little bit.

If the ftp-server has only to be accessible to a few persons(not the whole internet), I would let the people who have to connect, connect to a number between 1024 and 65000(don't know the max.number exact) and forward it from you firewall to port21. this is much safer I think. I think this can be done without problems. You can drop all traffic to port 21 then. I suppose you know more than me about that if you're going to set up the server.

[MottS]

I have not yet set up a server, but I've set up shorewall for myself a little bit manually. (This is by the way much more powerfull):

 

I think this could help:

 

Add in rules:

 

ACCEPT net fw ftp 20,21 -  

 

Maybe you also have to add:

 

ACCEPT fw (zone where rour ftp-server is located) ftp 20,21 -

Michel you raise a really good point here. One question for copex, is the computer running ProFTPd the gateway (the one running Shorewall) or a computer on the LAN ? If it is on the gateway then it should work right away by adding ports 20 and 21 in the MCC. If, however, it is on a computer behing the gateway (the computer running Shorewall) then you have to add something manually in /etc/shorewall/rules. Here is what I added in the rules file on my server to be able to run an ssh server on my computer (which is behind the server).

 

DNAT net masq:192.168.1.100 tcp 22 -

 

In your case that would be

 

DNAT  net  masq:IP_of_computer_running_proftpd  tcp 20,21  -

 

Hope the help

 

MOtTS

[Guest copex]

Michel you raise a really good point here.  One question for copex, is the computer running ProFTPd the gateway (the one running Shorewall) or a computer on the LAN ?  If it is on the gateway then it should work right away by adding ports 20 and 21 in the MCC.  

Hope the help

 

MOtTS

 

hi

 

everything is running on the one PC, firewall, mailserver, webserver, and ftpserver. it`s more a home project so i can get to grips with linux.

 

if i stop proftpd and start in.ftpd and try to connect i get a login failed message when i try to connect.

 

@Michel thanks for the help but it dident work....

 

all the best

[Michel]

Maybe an advice:

 

if Shorewall blocks anything, it is probably written down in /var/syslog.

If not, you can add an info keyword in policies or set info to yes in shorewall config file I think.

 

Anyway, normally it does this: Start up internet or any network you need. Wait a moment till yuou clock is a minute further than you started the network. Then try to connect to the proftpd-server. If something is blocked, you can check the "/var/syslog"-file (sometimes in "/var/messages"-file) Search for the time you connected to the proftpd-server and check if there are any logs from shorewall...

[MottS]

Well, you opened port 21 with the MCC and still can't connect to it ? .. it seems a server problem now, not a firewall problem.

 

To make things clean I suggest you to run SSHD instead. If you can connect to your computer with SSH from the web then it will definitively be a server problem and not a Shorewall problem. SSH is like Telnet but everything is encrypted. Furthermore, SSH comes with a build in FTP server which is encrypted too. This is why it is called SFTP (Secured FTP).

 

First of all, open the MCC and clic SoftwareManager->InstallPrograms. Rpmdrake will open and do a seach for 'openssh-server' and install it. Now clic System->Services and start SSHD from there. Now clic Security->Firewall and clic the SSH box (that should be there now). Finally, open a console and type 'ifconfig' to get YourIP address and type 'ssh -l Username YourIP' where Username is a valid user on your machine (like 'root' or your personnal account in /home). You'll be prompted for a password if the user your logged in with requires one. If everything worked locally then try to connect to your machine from the net or ask one of your friends to do so. If it worked then ProFTPd has a problem and Shorewall is ok.

 

If you want an SSH and SFTP client for Windows here is one -->

 

ftp://sunsite.unc.edu/pub/packages/securi...lient-3.2.3.exe

 

Good luck !

 

ciow

 

MOtTs

[Guest copex]

hi

 

 

i re-installed proftpd and it now seems to be ok

 

all the best