I am running Opensuse 12.3 and I configured a Firewall with a DMZ. Within the DMZ I have my Webserver with FTP.
The Problem is , that the FTP Server is not reachable for the Dataconnection from outside.Remember : there is no NAT. Just Routing.
A FTP Client is able to connect the Server, but when trying to show the directory its missing the data connection. With tcpdump I saw, that the Firewall is stopping the Hiports.
I am able to open all the hiports to my DMZ , but I would prefer to use the nf_conntrack_ftp, which should open the required ports when needed for the already active connection.
I set the follwing tags:
FW_DEV_INT="" // there is no internal zone
FW_DEV_DMZ=“eth1”
FW_DEV_EXT=“eth0”
FW_SERVICES_DMZ_TCP=“22 40000:41000 21” // my proftp opens only 40,000 to 40,999 …
FW_SERVICES_ACCEPT_RELATED_DMZ=“0/0,tcp,21”
FW_FORWARD=“0/0,178.63.146.115,tcp,21”
FW_LOAD_MODULES=“nf_conntrack_ftp”
The rest should be configured as it comes from Suse…
Can anyone give me a hint, I tried a lot things , but it never changed anything…
First I’ve heard of this kernel module supporting PASV secondary connections.
A little research suggests it has to be compiled and loaded but on my 3.7 kernel it isn’t, the following command would display it if it was
lsmod | grep nf_conntrack_ftp
I didn’t research this further, if it’s a pre-compiled LKM(I assume likely) then it would likely be possible to invoke from a console and if that works can be loaded at boot either by creating a custom Unit or adding a line to /etc/sysctrl.conf
If it’s not an LKM, then you’ll have to find out what is required.
So, the question is: Where are you accepting connections from and where are they supposed to be directed?
By my first guess, I think it would be that you are attempting to establish connections from the 'Net which should be forwarded to your DMZ?
First of all, set FW_ROUTE=“yes” - otherwise no routing is going to take place at all.
FW_SERVICES_DMZ_TCP opens the ports specified for your DMZ on the firewall only. Somehow I doubt that that is what you intended…
Opening SSH should be fine when you have neither monitor nor keyboard attached to that box, otherwise I recommend to have that one shut. So your best bet would be to drop all other ports besides SSH if you don’t have any services running on your firewall that would require them.
FW_SERVICES_ACCEPT_RELATED_DMZ is nonsensical as well (especially without any open ports on your firewall that point toward the DMZ) so you should leave that one empty, too. Anyway, it’s only necessary in very few situations.
FW_FORWARD looks plausible since it performs the actual forwarding from the 'Net to the DMZ (you only have to forward the FTP control port) - and you don’t have to provide a backlink since the passive connection would be outgoing from your FTP server’s point of view - which means directed to the 'Net, and those connections are routed automatically. The only thing you would have to do is opening the passive ports (if it’s 40,000 up to 40,999 you should have only those open on the client side - opening 41,000 is plain useless and would conflict with the strategy to keep everything that’s not used at least closed).
@Robidu: thanks for that explanations, thats the way i solved the problem: I configured my proftp, that its opening only the ports 40,000 to 40,100, checked with nmap, that no other ports are openend in this area and use FW_FORWARD to forward these 100 ports to my webserver inside the DMZ. All the other configurations I removed.
Now its working like a charme…
I think the nf_contrack_ftp is designed to work with FTP connections comming from the inside area of a LAN to FTPs in the external zone… In my case there is no way to use it…
The explanation for FW_SERVICES_DMZ_TCP, I still didnt get right I think. How can I speicfy a DMZ Port on my firewall?? It doesnt help me anymore with this FTP Problem, but maybe you can help me to understand the susefirewall a bit better and give me an example …
FW_SERVICES_DMZ_TCP (or FW_SERVICES_DMZ_UDP, FW_SERVICES_DMZ_IP or FW_SERVICES_DMZ_RPC, respectively) is only necessary when you want to open up ports on your firewall so that the machines in your DMZ can access the associated services (which normally shouldn’t be necessary) running there. For example, if you were running a time server on your firewall and the machines in the DMZ wanted to sync, you would have to open the NTP port so that those machines are capable of accessing the service (i. e. FW_SERVICES_DMZ_TCP=“ntp”), otherwise they cannot establish a connection. That variable is in no way necessary for outbound connections (i. e. the ones pointing from the DMZ to the 'Net), and inbound connections (DMZ -> INT) are blocked by default.
Cool. Reading up on this, I also noted the <very recent> SUSE Firewall package description that it is now a “stateful firewall” which must reference this kernel module.
After opening up your port range, IMO you should still test the ports in that range to be certain that the responses are “Denied” and not just “No Response.”