[BSD] firewall probléma (???)

Laszlo Nagy gandalf at shopzeus.com
2008. Jan. 14., H, 13:39:45 CET


Sziasztok,

Van egy FTP szerver amit nem tudok elérni. Az FTP szerver üzemeltetője 
azt állítja hogy nekik nincsen tűzfal és ha probléma van akkor az csak 
nálam lehet. Én viszont nem tudok rájönni hogy mi a baj. Itt vannak a 
szabályaim:

00001 0 0 deny udp from 41.204.36.250 to me
00002 0 0 deny tcp from 41.204.36.250 to me
00003 0 0 deny udp from 41.204.37.229 to me
00004 0 0 deny udp from 41.204.37.229 to me
00005 0 0 deny tcp from 196.29.123.226 to me
00006 0 0 deny udp from 196.29.123.226 to me
00007 0 0 deny tcp from 69.86.88.140 to me
00008 0 0 deny udp from 69.86.88.140 to me
00101 2 112 allow icmp from any to any icmptypes 0,3,8,11,12,13,14
00102 0 0 allow tcp from any to me dst-port 21 in
00104 178 77741 allow tcp from any to me dst-port 4430 in
00105 0 0 allow tcp from any to me dst-port 4431 in
00106 0 0 allow tcp from any to me dst-port 4432 in
00107 40 5664 allow tcp from any to me dst-port 4433 in
00108 0 0 allow tcp from any to me dst-port 4434 in
00109 0 0 allow tcp from any to me dst-port 4435 in
00110 15 4452 allow tcp from any to me dst-port 25 in
00111 0 0 allow tcp from any to me dst-port 3690 in
00112 0 0 allow tcp from any to me dst-port 995 in
00113 80 8798 allow tcp from any to me dst-port 993 in
00114 8 665 allow tcp from any to me dst-port 80 in
00115 0 0 allow tcp from any to me dst-port 443 in
00116 18 1786 allow tcp from any to me dst-port 444 in
00117 332 121969 allow tcp from any to me dst-port 5432 in
00118 75 7232 allow tcp from any to me dst-port 22 in
00119 0 0 allow tcp from any to me dst-port 123
00120 0 0 allow tcp from any to me dst-port 123
00121 0 0 allow tcp from 209.67.181.90 to me
01021 1248 381525 allow ip from me to any out
02021 0 0 allow tcp from 195.228.240.249 53 to me
02022 12 1439 allow udp from 195.228.240.249 53 to me
02023 0 0 allow tcp from 195.228.242.180 53 to me
02024 0 0 allow udp from 195.228.242.180 53 to me
03021 482 140075 allow ip from 127.0.0.0/24 to any in
03022 0 0 allow ip from 127.0.0.0/24 to any out
04021 0 0 deny log logamount 10 ip from any to 127.0.0.0/24
05021 0 0 allow ip from any to any out
06021 1 48 deny log logamount 10 tcp from any to any setup in
06031 30 12472 allow tcp from any to any established
07021 0 0 deny log logamount 10 ip from any to any frag
07022 3073 199851 deny log logamount 10 ip from any to any
65535 3 182 deny ip from any to any



A lényeg a 00121 szabály ami azt mondja hogy az FTP szervertől mindent 
engedjen be.
Ez történik:

gandalf at designaproduct.biz~#ftp -d -A 209.67.181.90
Connected to 209.67.181.90.
220 Marketplace ready...
ftp_login: user `<null>' pass `<null>' host `209.67.181.90'
Name (209.67.181.90:gandalf): info at shopzeus.com
---> USER info at shopzeus.com
331 Password required for info at shopzeus.com.
Password:
---> PASS XXXX
230 User info at shopzeus.com logged in.
---> SYST
215 Marketplace
Remote system type is Marketplace.
---> FEAT
211-Extensions supported:
AUTH TLS
CCC
CLNT
CPSV
EPRT
EPSV
MDTM
MFCT
MFMT
MLST type*;size*;create;modify*;
MODE Z
PASV
PBSZ
PROT
REST STREAM
SIZE
SSCN
TVFS
UTF8
XCRC "filename" SP EP
XMD5 "filename" SP EP
XSHA1 "filename" SP EP
211 End.
features[FEAT_FEAT] = 1
features[FEAT_MDTM] = 1
features[FEAT_MLST] = 1
features[FEAT_REST_STREAM] = 1
features[FEAT_SIZE] = 1
features[FEAT_TVFS] = 1
got localcwd as `/root'
---> PWD
257 "/" is current directory.
got remotecwd as `/'
ftp> ls
---> EPRT |1|195.228.74.135|64784|
200 Port command successful.
---> LIST
425 Cannot open data connection.
ftp>


Itt a "---> LIST" után sok várakozás van és utána dobja a 425-ös hibát. 
Olyan mintha nem tudna kapcsolódni a géphez, és nyilván a tűzfal 
szabályommal van valami gond de nem jövök rá hogy mi. Tesztelni sajnos 
nem tudom a dolgot mert az adott IP-ről nem tudok csatlakozni. (Hogy 
máshogy teszteljem?)

Köszi,

Laci







További információk a(z) BSD levelezőlistáról