Re: [Bastille-linux-discuss] 1.20 ftp, iptables, data channel problem
This tool locks down Linux and UNIX systems.
Brought to you by:
jay
Menu
▾
▴
Re: [Bastille-linux-discuss] 1.20 ftp, iptables, data channel problem
|
From: Peter W <pe...@us...> - 2001-05-18 18:26:51
|
On Fri, May 18, 2001 at 01:10:31PM -0500, Harmon Seaver wrote:
> Peter W wrote:
>
> > On Fri, May 18, 2001 at 09:56:51AM -0500, Harmon Seaver wrote:
> > > 192.168.0.4" and /etc/xinetd.d/wu-ftpd doesn't have the
> > > libwrap line or any disable=yes line. Which, frankly,
> > > surprises me, since all the others I've looked at do.
> >
> > Surprises me, too. Does it have any disable= line?
>
> no disable= line whatsover.
Ugh, that's a problem, as Bastille looks for the disable=
line to figure out where to put the NOLIBWRAP flags for any
config that doesn't already have a flags line. :-(
How many lines do you have that end with "{" (plus optional
whitespace)? That begin with optional whitespace and "}"?
> > If you are logging in to the ftpd but can't list or
> > xfer files, somewhere (/usr/share/docs/Bastille?) you
> > should h-ave a file named readme.ftp
> Well, I can log in now, and am not getting a file list, so I
> guess I'll have to relook at this. Did read the readme.ftp before but
> disregarded it since it seems to be for ipchains, and I'm running
> iptables.
Right, the ports should not matter if you're using the Bastille
netfilter/iptables script. The next thing I'd do is change LOG_FAILURES
in /etc/Bastille/bastille-firewall.cfg to "Y", run
/etc/rc.d/init.d/bastille-firewall start
try the FTP business, and see what iptables may log for you.
That should work as-is, as ip_conntrack_ftp is loaded and should make the
passive data channel connection show up as RELATED and, therefore, be
allowed. :-(
-Peter
|
