problems with ws-ftp, firewall and zope web sever.
I was trying to ftp files to the zope web sever in my redhat linux sever. zope ftp uses port 8021 so After open ws_ftp, I clicked connected, in the session property/advaced i set the remote port number to 8021.network timeout to 60. in session property/General I set host name to my linux sever name which the zope websever reside in, I put the root manager name of zope website in the field of UserID and password and cliked ok it gives info as following: connecting to 128.192.47.24:34864 200 port command successfully. LIST 150 opening ascii node data connection for the list !timer cancelled blocking call !accept error: blocking call cancelled !Retrieve of folder list failed (O) I failed to do ftp with ws_ftp. Any suggestions will be greatly appreciated!! Thanks we use iptables as firewall in the linux machine the iptables.rule is as following #============================================================== # Iptables firewall script #============================================================== # Load modules modprobe ip_tables modprobe ip_conntrack modprobe ip_conntrack_ftp # Reset the rules iptables -F iptables -X iptables -Z # Setup default DROP policy iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # Definitions IFACE="eth0" IPADDR="128.192.47.115" TNET="128.192.0.0/16" NAMESERVER_1="128.192.1.9" NAMESERVER_2="128.192.1.193" BROADCAST="128.192.255.255" DHCPS="0.0.0.0" BLAST="255.255.255.255" LOOPBACK="127.0.0.1" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/5" P_PORTS="0:1023" UP_PORTS="1024:65535" TR_SRC_PORTS="32769:65535" TR_DEST_PORTS="33434:33523" FISHER="128.192.47.142" #==================================================================== ## Kernel Flags # Disable response to ping /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all #Disable response to broadcasts /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Don't Accept source routed packets /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route # Disable ICMP redirect acceptance /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects # Enable bad error message protection /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Turn on reverse path filtering (prevent IP spoofing) for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do /bin/echo "1" > ${interface} done # Don't Log spoofed packets, source routed packets, redirect packets /bin/echo "0" > /proc/sys/net/ipv4/conf/all/log_martians # Turn off IP forwarding /bin/echo "0" > /proc/sys/net/ipv4/ip_forward #==================================================================== # Rules ## LOOPBACK # Allow unlimited traffic on the loopback interface. iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT #======================================================================= ## SYN-FLOODING PROTECTION # This rule maximises the rate of incoming connections. In order to do # this we divert tcp packets with the SYN bit set off to a user-defined # chain. Up to limit-burst connections can arrive in 1/limit seconds # ..... in this case 4 connections in one second. After this, one # of the burst is regained every second and connections are allowed again. # The default limit is 3/hour. The default limit burst is 5. # # iptables -N syn-flood # iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood # iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN # iptables -A syn-flood -j DROP ## Make sure NEW tcp connections are SYN packets # iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j LOG \ # --log-prefix "NonSYN New TCP: " --log-level warn # iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP #===================================================================== ## Fragments # Deny and log all fragments except those from Fisher(nfs)(chg 11/9/01). # iptables -A INPUT -i $IFACE -f -s $FISHER -j ACCEPT iptables -A INPUT -i $IFACE -f -j LOG --log-prefix "IPTABLES FRAGMENTS: " iptables -A INPUT -i $IFACE -f -j DROP #===================================================================== ## Anti-Spoofing # Accept Broadcast Packets from Samba iptables -A INPUT -i $IFACE -p udp -s $IPADDR -d $BROADCAST \ --dport 137:139 -j ACCEPT #======================================================================= ## Zope # Allow inbound iptables -A INPUT -i $IFACE -p tcp --dport 8080 -j ACCEPT iptables -A INPUT -i $IFACE -p tcp --dport 8021 -j ACCEPT #======================================================================= #================================================================== # FTP # Allow FTP Outbound iptables -A INPUT -i $IFACE -p tcp --sport 21 -m state --state \ ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --dport 21 -m state --state \ NEW,ESTABLISHED -j ACCEPT # Active outbound FTP iptables -A INPUT -i $IFACE -p tcp --sport 20 -m state --state \ ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --dport 20 -m state --state \ ESTABLISHED -j ACCEPT # Passive inbound and outbound FTP iptables -A INPUT -i $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \ -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \ -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow inbound FTP iptables -A INPUT -i $IFACE -p tcp --dport 21 -m state --state \ NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --sport 21 -m state --state \ ESTABLISHED -j ACCEPT # Active inbound FTP iptables -A INPUT -i $IFACE -p tcp --dport 20 -m state --state \ ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --sport 20 -m state --state \ ESTABLISHED,RELATED -j ACCEPT
-------------------------------- Jianping Zhu Department of Computer Science Univerity of Georgia Athens, GA 30602 Tel 706 5423900 --------------------------------
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Have you tried a packet sniffer ? You can see what is going on, and easily diagnose the problem. Try this one: http://www.analogx.com/contents/download/network/pmon.htm marcio | it gives info as following: | connecting to 128.192.47.24:34864 | 200 port command successfully. | LIST | 150 opening ascii node data connection for the list | !timer cancelled blocking call | !accept error: blocking call cancelled | !Retrieve of folder list failed (O) | | I failed to do ftp with ws_ftp. | | Any suggestions will be greatly appreciated!! | Thanks
I'm shooting in the dark without knowing more about your firewall config, but in packet-filtering firewalls (like iptables or ipchains on Linux), you should make sure you are accepting 'established' outbound and inbound packets. The reason is that ftp, unlike many other tcp protocols, negotiates some of the communication ports in a dynamic fashion. Firewalls, of course, don't like this very much. Two ways around this situation: allow established connections in your firewall chain rules. Adjust your ws_ftp session properties, advanced settings to allow passive ftp. Bryan -----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Marcio Marchini Sent: Monday, August 19, 2002 12:01 PM To: Jianping Zhu; zope@zope.org Subject: RE: [Zope] problems with ws-ftp, firewall and zope web sever. Have you tried a packet sniffer ? You can see what is going on, and easily diagnose the problem. Try this one: http://www.analogx.com/contents/download/network/pmon.htm marcio | it gives info as following: | connecting to 128.192.47.24:34864 | 200 port command successfully. | LIST | 150 opening ascii node data connection for the list | !timer cancelled blocking call | !accept error: blocking call cancelled | !Retrieve of folder list failed (O) | | I failed to do ftp with ws_ftp. | | Any suggestions will be greatly appreciated!! | Thanks _______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
| Two ways around this situation: allow established connections in your | firewall chain rules. Adjust your ws_ftp session properties, advanced | settings to allow passive ftp. I already suggested the PASV mode, and so far no feedback. The original message is below. -------------------------------------------------------------------------------- ------------ If you are behind a firewall, you may need to enable/force PASV mode in your FTP client. In LeechFTP, the GUI option is File->Options, Firewall tab, radio buton "PASV mode" No idea for WS_FTP as I do not use it. marcio -------------------------------------------------------------------------------- ------------ marcio
participants (3)
-
Bryan Capitano -
Jianping Zhu -
Marcio Marchini