IPTables and passive FTP

Discussion in 'Installation/Configuration' started by Ryanmt, Apr 14, 2008.

  1. Ryanmt

    Ryanmt New Member

    I have a problem, the firewall for the ftp is stopping passive ftp from working

    Code:
    Looking up lyndsayb.co.uk
    Trying lyndsayb.co.uk:21
    Connected to lyndsayb.co.uk:21
    220 FTP Server ready.
    USER z
    331 Password required for z.
    PASS xxxx
    230 User z logged in.
    SYST
    215 UNIX Type: L8
    TYPE I
    200 Type set to I
    PWD
    257 "/" is current directory.
    Loading directory listing / from server (LC_TIME=en_GB.UTF-8)
    PASV
    227 Entering Passive Mode (78,110,167,28,198,65). <-----  ** Connection hangs here **
    Ive done alot of research and ive found out that you need to load some modules into iptables, ip_conntrack_ftp / ip_nat_ftp. I have tried modprobe <module> and nothing happens, the depmod file is empty so there are no modules on the server atall.

    The kernal is a custom ubuntu one, i installed iptables using apt-get, ive contacted my vps host who say that they have enabled the modules for me but still passive ftp still doesnt work.

    Is there any way i can diagnose this further? I dont know a way to check what modules are loaded, or how to check the logs to see what is going on.

    Thanks
    Ryan
     
  2. Ryanmt

    Ryanmt New Member

    Code:
    [email protected]:/etc/init.d$ sudo iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    DROP       tcp  --  anywhere             127.0.0.0/8         
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED 
    ACCEPT     0    --  anywhere             anywhere            
    DROP       0    --  BASE-ADDRESS.MCAST.NET/4  anywhere            
    PUB_IN     0    --  anywhere             anywhere            
    PUB_IN     0    --  anywhere             anywhere            
    PUB_IN     0    --  anywhere             anywhere            
    PUB_IN     0    --  anywhere             anywhere            
    DROP       0    --  anywhere             anywhere            
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED 
    DROP       0    --  anywhere             anywhere            
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    PUB_OUT    0    --  anywhere             anywhere            
    PUB_OUT    0    --  anywhere             anywhere            
    PUB_OUT    0    --  anywhere             anywhere            
    PUB_OUT    0    --  anywhere             anywhere            
    
    Chain INT_IN (0 references)
    target     prot opt source               destination         
    ACCEPT     icmp --  anywhere             anywhere            
    DROP       0    --  anywhere             anywhere            
    
    Chain INT_OUT (0 references)
    target     prot opt source               destination         
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     0    --  anywhere             anywhere            
    
    Chain PAROLE (11 references)
    target     prot opt source               destination         
    ACCEPT     0    --  anywhere             anywhere            
    
    Chain PUB_IN (4 references)
    target     prot opt source               destination         
    ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable 
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply 
    ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ftp 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ssh 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:smtp 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:domain 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:www 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:81 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:pop3 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:imap2 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:https 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:webmin 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ftp-data 
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
    DROP       icmp --  anywhere             anywhere            
    DROP       0    --  anywhere             anywhere            
    
    Chain PUB_OUT (4 references)
    target     prot opt source               destination         
    ACCEPT     0    --  anywhere             anywhere            
    
    if thats any use
     
    Last edited: Apr 14, 2008
  3. Ryanmt

    Ryanmt New Member

    Ive been messing with this further, pretty much gave up on the ip_conntrack modules and decided to open some ports up... i didnt want to open a wide range so picked a range and enabled it in the /etc/proftpd.conf file

    then added the rule in the firewall setup on ispconfig

    I restarted both proftpd and the firewall

    still no joy and i dont understand why, should be simple port forwarding to do it this way.

    I also experimented with the MasqueradeAddress option in the conf file and it made no difference.

    When connecting via gFTP with passive enabled it stalls on the following

    PASV

    227 Entering Passive Mode (78,110,167,28,237,66).

    The first 4 numbers are the IP, the last to are the port. 237x256+66 means its trying to use 59970, why isnt it using the ports i specified!
     
    Last edited: Apr 15, 2008
  4. falko

    falko Super Moderator ISPConfig Developer

    What's in /etc/proftpd.conf?
    Are there any errors in the logs in /var/log?
     
  5. Ryanmt

    Ryanmt New Member

    no errors in /var/log/proftpd/proftpd.log

    Code:
    [email protected]:/var/log$ cat /etc/proftpd.conf   
    #
    # /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
    # To really apply changes reload proftpd after modifications.
    # 
    
    # Includes DSO modules
    Include /etc/proftpd/modules.conf
    
    # Set off to disable IPv6 support which is annoying on IPv4 only boxes.
    UseIPv6                         off
    
    ServerName                      "Citroenbob"
    ServerType                      standalone
    DeferWelcome                    off
    
    MultilineRFC2228                on
    DefaultServer                   on
    ShowSymlinks                    on
    
    TimeoutNoTransfer               600
    TimeoutStalled                  600
    TimeoutIdle                     1200
    
    DisplayLogin                    welcome.msg
    DisplayFirstChdir               .message
    ListOptions                     "-l"
    
    DenyFilter                      \*.*/
    UseReverseDNS off
    # Use this to jail all users in their homes 
    # DefaultRoot                   ~
    <Global>
    DefaultRoot ~
    
    IdentLookups off
    ServerIdent on "FTP Server ready."
    </Global>
    # Users require a valid shell listed in /etc/shells to login.
    # Use this directive to release that constrain.
    # RequireValidShell             off
    
    # Port 21 is the standard FTP port.
    Port                            21
    
    # In some cases you have to specify passive ports range to by-pass
    # firewall limitations. Ephemeral ports can be used for that, but
    # feel free to use a more narrow range.
    PassivePorts 48152 49192
    
    # If your host was NATted, this option is useful in order to
    # allow passive tranfers to work. You have to use your public
    # address and opening the passive ports used on your firewall as well.
    # MasqueradeAddress             78.110.167.28
    
    # To prevent DoS attacks, set the maximum number of child processes
    # to 30.  If you need to allow more than 30 concurrent connections
    # at once, simply increase this value.  Note that this ONLY works
    # in standalone mode, in inetd mode you should use an inetd server
    # that allows you to limit maximum number of processes per service
    # (such as xinetd)
    MaxInstances                    30
    
    # Set the user and group that the server normally runs at.
    User                            proftpd
    Group                           nogroup
    
    # Umask 022 is a good standard umask to prevent new files and dirs
    # (second parm) from being group and world writable.
    Umask                           022  022
    # Normally, we want files to be overwriteable.
    AllowOverwrite                  on
    
    # Uncomment this if you are using NIS or LDAP to retrieve passwords:
    # PersistentPasswd              off
    
    # Be warned: use of this directive impacts CPU average load!
    # Uncomment this if you like to see progress and transfer rate with ftpwho
    # in downloads. That is not needed for uploads rates.
    #
    # UseSendFile                   off
    
    # Choose a SQL backend among MySQL or PostgreSQL.
    # Both modules are loaded in default configuration, so you have to specify the backend 
    # or comment out the unused module in /etc/proftpd/modules.conf.
    # Use 'mysql' or 'postgres' as possible values.
    #
    #<IfModule mod_sql.c>
    # SQLBackend                    mysql
    #</IfModule>
    
    TransferLog /var/log/proftpd/xferlog
    SystemLog   /var/log/proftpd/proftpd.log
    DebugLevel 5
    <IfModule mod_tls.c>
    TLSEngine off
    </IfModule>
    
    <IfModule mod_quota.c>
    QuotaEngine on
    </IfModule>
    
    <IfModule mod_ratio.c>
    Ratios on
    </IfModule>
    
    
    # Delay engine reduces impact of the so-called Timing Attack described in
    # http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
    # It is on by default. 
    <IfModule mod_delay.c>
    DelayEngine on
    </IfModule>
    
    <IfModule mod_ctrls.c>
    ControlsEngine        on
    ControlsMaxClients    2
    ControlsLog           /var/log/proftpd/controls.log
    ControlsInterval      5
    ControlsSocket        /var/run/proftpd/proftpd.sock
    </IfModule>
    
    <IfModule mod_ctrls_admin.c>
    AdminControlsEngine on
    </IfModule>
    
    # A basic anonymous configuration, no upload directories.
    
    # <Anonymous ~ftp>
    #   User                                ftp
    #   Group                               nogroup
    #   # We want clients to be able to login with "anonymous" as well as "ftp"
    #   UserAlias                   anonymous ftp
    #   # Cosmetic changes, all files belongs to ftp user
    #   DirFakeUser on ftp
    #   DirFakeGroup on ftp
    # 
    #   RequireValidShell           off
    # 
    #   # Limit the maximum number of anonymous logins
    #   MaxClients                  10
    # 
    #   # We want 'welcome.msg' displayed at login, and '.message' displayed
    #   # in each newly chdired directory.
    #   DisplayLogin                        welcome.msg
    #   DisplayFirstChdir           .message
    # 
    #   # Limit WRITE everywhere in the anonymous chroot
    #   <Directory *>
    #     <Limit WRITE>
    #       DenyAll
    #     </Limit>
    #   </Directory>
    # 
    #   # Uncomment this if you're brave.
    #   # <Directory incoming>
    #   #   # Umask 022 is a good standard umask to prevent new files and dirs
    #   #   # (second parm) from being group and world writable.
    #   #   Umask                           022  022
    #   #            <Limit READ WRITE>
    #   #            DenyAll
    #   #            </Limit>
    #   #            <Limit STOR>
    #   #            AllowAll
    #   #            </Limit>
    #   # </Directory>
    # 
    # </Anonymous>
    
    
    Include /etc/proftpd_ispconfig.conf
    
     
  6. daveb

    daveb Member

    I had to also add PassivePorts 48152 49192 to the /etc/proftpd_ispconfig.conf
     
  7. Ryanmt

    Ryanmt New Member

    makes no difference, the file is overwrote when restarting the server anyway i think :(
     
  8. falko

    falko Super Moderator ISPConfig Developer

    Does it work when you switch off the firewall?
     
  9. Ryanmt

    Ryanmt New Member

    yep, works fine
     
  10. webwork

    webwork New Member

    Have you check permissions on the directory??

    I don't know the exact setup you have but usually this is caused by no proper permissions either at folder level in the server or more likely in the ftp server settings at user assignment level. Are there files in the directory? If you put one in can you read it at all or are you being denied from an empty directory? Some ftp connections will find a random port when connecting Can you try to ressign the FTP port? Change it to 27 and see what happens.
    Have you tried an Active connection as well as a passive connection?
     
  11. Ryanmt

    Ryanmt New Member

    Thanks for the reply, Active works fine.. the ftp server is functioning as it should and i can use it provided i set my client to use active transfers. If i disable the firewall in ISPConfig then passive works fine also

    This is only a passive transfer/iptables issue.
     
  12. falko

    falko Super Moderator ISPConfig Developer

    Can you post your /etc/Bastille/bastille-firewall.cfg?
     
  13. Ryanmt

    Ryanmt New Member

    Code:
    [email protected]:~$ cat /etc/Bastille/bastille-firewall.cfg 
    #
    # /etc/bastille-firewall.cfg
    #
    # Configuration file for both 2.2/ipchains and 2.4/netfilter scripts
    #
    # $Source: /cvsroot/bastille-linux/dev/working_tree/Bastille/bastille-firewall.cfg,v $
    # Modified by: $Author: peterw $
    # $Date: 2002/01/04 13:34:18 $
    # $Revision: 1.7 $
    #
    # Copyright (C) 1999-2001 Peter Watkins
    #
    #    This program is distributed in the hope that it will be useful,
    #    but WITHOUT ANY WARRANTY; without even the implied warranty of
    #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    #    GNU General Public License for more details.
    #
    #    You should have received a copy of the GNU General Public License
    #    along with this program; if not, write to the Free Software
    #    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
    #
    # Thanks to David Ranch, Brad A, Don G, and others for their suggestions
    
    # the configuration values should be whitespace-delimited lists of
    # appropriate values, e.g.
    #         TCP_PUBLIC_SERVICES="80 smtp ssh"
    # lists Web (port 80), SMTP mail, and Secure Shell ports
    #
    # This script is suitable for workstations or simple NAT firewalls;
    # you may want to add more "output" restrictions for serious servers
    
    # 0) DNS servers (Linux 2.2/ipchains only)
    #        You must list your DNS servers here so that
    #        the firewall will allow them to service your lookup requests
    #
    # List of DNS servers/networks to allow "domain" responses from
    # This _could_ be nameservers as a list of <ip-address>/32 entries
    #DNS_SERVERS="a.b.c.d/32 e.f.g.h/32"
    # If you are running a caching nameserver, you'll need to allow from
    # "0.0.0.0/0" so named can query any arbitrary nameserver
    # (To enable a caching nameserver, you will also probably need to
    #  add "domain" to the TCP and UDP public service lists.)
    #DNS_SERVERS="0.0.0.0/0"
    #
    # To have the DNS servers parsed from /etc/resolv.conf at runtime,
    # as normal workstations will want, make this variable empty
    #DNS_SERVERS=""
    #
    # Please make sure variable assignments are on single lines; do NOT
    # use the "\" continuation character (so Bastille can change the
    # values if it is run more than once)
    DNS_SERVERS=""
    
    
    # 1) define your interfaces (all systems)
    #        Note a "+" acts as a wildcard, e.g. ppp+ would match any PPP
    #        interface
    #
    # list internal/trusted interfaces
    # traffic from these interfaces will be allowed
    # through the firewall, no restrictions
    #TRUSTED_IFACES="lo"                                        # MINIMAL/SAFEST
    #
    # list external/untrusted interfaces
    #PUBLIC_IFACES="eth+ ppp+ slip+"                        # SAFEST
    #
    # list internal/partially-trusted interfaces
    # e.g. if this acts as a NAT/IP Masq server and you
    # don't want clients on those interfaces having
    # full network access to services running on this
    # server (as the TRUSTED_IFACES allows)
    #INTERNAL_IFACES=""                                # SAFEST
    #
    # Please make sure variable assignments are on single lines; do NOT
    # use the "\" continuation character (so Bastille can change the
    # values if it is run more than once)
    TRUSTED_IFACES="lo"                                        # MINIMAL/SAFEST
    PUBLIC_IFACES="eth+ ppp+ slip+ venet+"                        # SAFEST
    INTERNAL_IFACES=""                                # SAFEST
    
    
    # 2) services for which we want to log access attempts to syslog (all systems)
    #        Note this only audits connection attempts from public interfaces
    #
    #        Also see item 12, LOG_FAILURES
    #
    #TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
    # anyone probing for BackOrifice?
    #UDP_AUDIT_SERVICES="31337"
    # how about ICMP?
    #ICMP_AUDIT_TYPES=""
    #ICMP_AUDIT_TYPES="echo-request"        # ping/MS tracert
    #
    # To enable auditing, you must have syslog configured to log "kern"
    # messages of "info" level; typically you'd do this with a line in
    # syslog.conf like
    #   kern.info                                /var/log/messages
    # though the Bastille port monitor will normally want these messages
    # logged to a named pipe instead, and the Bastille script normally
    # configures syslog for "kern.*" which catches these messages
    #
    # Please make sure variable assignments are on single lines; do NOT
    # use the "\" continuation character (so Bastille can change the
    # values if it is run more than once)
    #TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
    #UDP_AUDIT_SERVICES="31337"
    #ICMP_AUDIT_TYPES=""
    
    
    # 3) services we allow connections to (all systems)
    #
    # FTP note:
    #        To allow your machine to service "passive" FTP clients,
    #        you will need to make allowances for the passive data
    #        ports; Bastille users should read README.FTP for more
    #        information
    #
    # "public" interfaces:
    # TCP services that "public" hosts should be allowed to connect to
    #TCP_PUBLIC_SERVICES=""                                        # MINIMAL/SAFEST
    #
    # UDP services that "public" hosts should be allowed to connect to
    #UDP_PUBLIC_SERVICES=""                                        # MINIMAL/SAFEST
    #
    # "internal" interfaces:
    # (NB: you will need to repeat the "public" services if you want
    #      to allow "internal" hosts to reach those services, too.)
    # TCP services that internal clients can connect to
    #TCP_INTERNAL_SERVICES=""                                # MINIMAL/SAFEST
    #
    # UDP services that internal clients can connect to
    #UDP_INTERNAL_SERVICES=""                                # MINIMAL/SAFEST
    #
    # Please make sure variable assignments are on single lines; do NOT
    # use the "\" continuation character (so Bastille can change the
    # values if it is run more than once)
    TCP_PUBLIC_SERVICES="21 22 25 53 80 81 110 143 443 10000 20 58878:59999"                                        # MINIMAL/SAFEST
    UDP_PUBLIC_SERVICES="53"                                        # MINIMAL/SAFEST
    TCP_INTERNAL_SERVICES=""                                # MINIMAL/SAFEST
    UDP_INTERNAL_SERVICES=""                                # MINIMAL/SAFEST
    
    # 4) passive/active FTP (Linux 2.2/ipchains only)
    #        FTP is a firewall nightmare; if you allow "normal" FTP connections,
    #        you must be careful to block any TCP services that are listening
    #        on high ports; it's safer to require your FTP clients to use
    #        "passive" mode.
    #
    #        Note this will also force clients on machines
    #        that use this one for NAT/IP Masquerading to use passive mode
    #        for connections that go through this server (e.g. from the
    #        internal network to public Internet machines
    #
    #        For more information about FTP, see the Bastille README.FTP doc
    #
    #FORCE_PASV_FTP="N"
    #FORCE_PASV_FTP="Y"                                        # SAFEST
    #
    FORCE_PASV_FTP="Y"                                        # SAFEST
    
    
    # 5) Services to explicitly block. (Linux 2.2/ipchains only)
    #        See FTP note above
    #        Note that ranges of ports are specified with colons, and you
    #        can specify an open range by using only one number, e.g.
    #        1024: means ports >= 1024 and :6000 means ports <= 6000
    #
    # TCP services on high ports that should be blocked if not forcing passive FTP
    # This should include X (6000:6010) and anything else revealed by 'netstat -an'
    #  (this does not matter unless you're not forcing "passive" FTP)
    #TCP_BLOCKED_SERVICES="6000:6020"
    #
    # UDP services to block: this should be UDP services on high ports.
    # Your only vulnerability from public interfaces are the DNS and
    # NTP servers/networks (those with 0.0.0.0 for DNS servers should
    # obviously be very careful here!)
    #UDP_BLOCKED_SERVICES="2049"
    #
    # types of ICMP packets to allow
    #ICMP_ALLOWED_TYPES="destination-unreachable"                # MINIMAL/SAFEST
    # the following allows you to ping/traceroute outbound
    #ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded"
    #
    # Please make sure variable assignments are on single lines; do NOT
    # use the "\" continuation character (so Bastille can change the
    # values if it is run more than once)
    TCP_BLOCKED_SERVICES="6000:6020"
    UDP_BLOCKED_SERVICES="2049"
    ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded echo-request"
    
    
    # 6) Source Address Verification (all Linux systems)
    #        This helps prevent "IP Spoofing" attacks
    #
    ENABLE_SRC_ADDR_VERIFY="Y"                                # SAFEST
    
    
    # 7) IP Masquerading / NAT. (all systems)
    #        List your internal/masq'ed networks here
    #
    #        Also see item 4, FORCE_PASV_FTP, as that setting affects
    #        clients using IP Masquerading through this machine
    #
    # Set this variable if you're using IP Masq / NAT for a local network
    #IP_MASQ_NETWORK=""                                        # DISABLE/SAFEST
    #IP_MASQ_NETWORK="10.0.0.0/8"                                # example
    #IP_MASQ_NETWORK="192.168.0.0/16"                        # example
    #
    # Have lots of masq hosts? uncomment the following six lines
    #  and list the hosts/networks in /etc/firewall-masqhosts
    #  the script assumes any address without a "/" netmask afterwards
    #  is an individual address (netmask /255.255.255.255):
    #if [ -f /etc/firewall-masqhosts ]; then
    #  echo "Reading list of masq hosts from /etc/firewall-masqhosts"
    #  # Read the file, but use 'awk' to strip comments
    #  # Note the sed bracket phrase includes a space and tab char
    #  IP_MASQ_NETWORK=`cat /etc/firewall-masqhosts | awk -F\# '/\// {print $1; next} /[0-9]/ {print $1"/32"}' |sed 's:[         ]*::g'`
    #fi
    #
    # Masq modules
    # NB: The script will prepend "ip_masq_" to each module name
    #IP_MASQ_MODULES="cuseeme ftp irc quake raudio vdolive"        # ALL (?)
    #IP_MASQ_MODULES="ftp raudio vdolive"                        # RECOMMENDED
    #
    # Please make sure variable assignments are on single lines; do NOT
    # use the "\" continuation character (so Bastille can change the
    # values if it is run more than once)
    IP_MASQ_NETWORK=""                                        # DISABLE/SAFEST
    IP_MASQ_MODULES="ftp raudio vdolive"                        # RECOMMENDED
    
    
    # 8) How to react to disallowed packets (all systems)
    # whether to "REJECT" or "DROP" disallowed packets; if you're running any
    # public services, you probably ought to use "REJECT"; if in serious stealth
    # mode, choose "DROP" so simple probes don't know if there's anything out there
    #        NOTE: disallowed ICMP packets are discarded with "DROP", as
    #                it would not make sense to "reject" the packet if you're
    #                trying to disallow ping/traceroute
    #        NOTE: the scripts that set up the filter rules will interpret these
    #                keywords as needed, e.g. "DROP" becomes "DENY" for Linux 2.2/ipchains
    #
    REJECT_METHOD="DROP"
    
    
    # 9) DHCP (Linux 2.2/ipchains only)
    #    In case your server needs to get a DHCP address from some other
    #    machine (e.g. cable modem)
    #DHCP_IFACES="eth0"                        # example, to allow you to query on eth0
    #DHCP_IFACES=""                                # DISABLED
    #
    # Please make sure variable assignments are on single lines; do NOT
    # use the "\" continuation character (so Bastille can change the
    # values if it is run more than once)
    DHCP_IFACES=""                                # DISABLED
    
    
    # 10) NTP servers (Linux 2.2/ipchains only)
    #        more UDP fun. List IP addresses or network space of NTP servers
    #
    #NTP_SERVERS=""                                # DISABLE NTP QUERIES / SAFEST
    #NTP_SERVERS="a.b.c.d/32 e.f.g.h/32"        # example, to allow querying 2 servers
    #
    # Please make sure variable assignments are on single lines; do NOT
    # use the "\" continuation character (so Bastille can change the
    # values if it is run more than once)
    NTP_SERVERS=""                                # DISABLE NTP QUERIES / SAFEST
    
    
    # 11) more ICMP. (Linux 2.2/ipchains only)
    #        Control the outbound ICMP to make yourself invisible to
    #        traceroute probes
    #
    #ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"
    #
    # Please make sure variable assignments are on single lines; do NOT
    # use the "\" continuation character (so Bastille can change the
    # values if it is run more than once)
    ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"
    
    
    # 12) Logging (all systems)
    #        With this enabled, ipchains will log all blocked packets.
    #                 ** this could generate huge logs **
    #        This is primarily intended for the port mointoring system;
    #        also note that you probably do not want to "AUDIT" any services
    #        that you are not allowing, as doing so would mean duplicate
    #        logging
    LOG_FAILURES="N"                                # do not log blocked packets
    
    # 13) Block fragmented packets (all systems)
    #       There's no good reason to allow these
    #ALLOW_FRAGMENTS="N"                                # safest
    ALLOW_FRAGMENTS="Y"                                # old behavior
    
    # 14) Prevent SMB broadcasts from leaking out NAT setup (all systems)
    #        Windows machines will poll teh net with SMB broadcasts,
    #        basically advertising their existence. Most folks agree
    #        that this traffic should be dropped
    #DROP_SMB_NAT_BCAST="N"                # allow them (are you sure?)
    DROP_SMB_NAT_BCAST="Y"                # drop those packets
    
    # 15) Log level (iptables/netfilter/Linux 2.4 only)
    #        Control what level of logging is used when the firewall logs
    #        information. Default is warning (4). Lowest priority is
    #        debug (7); highest is emergency (0). To prevent syslog
    #        from copying iptables error messages to the console, set
    #        this to 6 (7 would also work, but 6 is recommended)
    #        You can also stop syslogd/klogd from printing kernel
    #        messages to the console by issuing the command
    #          setterm -msg off
    #IP_LOG_LEVEL=6                        # level used in 2.2/ipchains
    IP_LOG_LEVEL=4                        # iptables/netfilter default
    
    # 16) Always attempt to use stateful features for inbound connections
    #        Always using state will allow the firewall to reject invalid
    #        packets sent to otherwise open TCP services, e.g. XMAS, NULL
    #        and SIN/FYN scans. The downside to choosing this behavior is that
    #        services may become unreachable if the packet filter's state
    #        table becomes full.
    IP_ALWAYS_USE_STATE="N"                # default, ensures services remain available
    [email protected]:~$ 
    
    Thanks
     
  14. falko

    falko Super Moderator ISPConfig Developer

    In your proftpd.conf, you're using the ports 48152 - 49192, but in your firewall configuration you have the ports 58878 - 59999.
     
  15. Ryanmt

    Ryanmt New Member

    Hi, sorry should have said. I was experimenting in changing hte port numbers.. i have updated proftpd.conf to match
     
  16. falko

    falko Super Moderator ISPConfig Developer

    What happens if you set FORCE_PASV_FTP to N?
     
  17. Ryanmt

    Ryanmt New Member

    done that, restarted the firewall via the ispconfig interface.. no change when trying to use passive

    im sure proftpd is just ignoring the passive ports ive set in the config file, i just dont know why! grr!
     
    Last edited: Apr 17, 2008
  18. falko

    falko Super Moderator ISPConfig Developer

    What happens when you comment out the line
    Code:
    Include /etc/proftpd_ispconfig.conf
    at the end of your proftpd.conf?
     
  19. Ryanmt

    Ryanmt New Member

    that worked!!!!!!!

    can i leave it like that? whats this file for.. and why does it break things!

     
  20. falko

    falko Super Moderator ISPConfig Developer

    You need that file only if you need anonymous FTP. Otherwise you can leave it out.
     

Share This Page