[Zope] problems with ws-ftp, firewall and zope web sever.
Jianping Zhu
zjp@arches.uga.edu
Mon, 19 Aug 2002 14:12:05 -0400 (EDT)
I was trying to ftp files to the zope web sever in my redhat linux sever.
zope ftp uses port 8021 so After open ws_ftp, I clicked connected, in the
session property/advaced i
set the remote port number to 8021.network timeout to 60. in
session property/General I set host name to my
linux sever name which the zope websever reside in, I put the root
manager name of zope website in the field of UserID and password and
cliked ok
it gives info as following:
connecting to 128.192.47.24:34864
200 port command successfully.
LIST
150 opening ascii node data connection for the list
!timer cancelled blocking call
!accept error: blocking call cancelled
!Retrieve of folder list failed (O)
I failed to do ftp with ws_ftp.
Any suggestions will be greatly appreciated!!
Thanks
we use iptables as firewall in the linux machine the iptables.rule is as
following
#==============================================================
# Iptables firewall script
#==============================================================
# Load modules
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# Reset the rules
iptables -F
iptables -X
iptables -Z
# Setup default DROP policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Definitions
IFACE="eth0"
IPADDR="128.192.47.115"
TNET="128.192.0.0/16"
NAMESERVER_1="128.192.1.9"
NAMESERVER_2="128.192.1.193"
BROADCAST="128.192.255.255"
DHCPS="0.0.0.0"
BLAST="255.255.255.255"
LOOPBACK="127.0.0.1"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"
FISHER="128.192.47.142"
#====================================================================
## Kernel Flags
# Disable response to ping
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
#Disable response to broadcasts
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't Accept source routed packets
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirect acceptance
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Turn on reverse path filtering (prevent IP spoofing)
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done
# Don't Log spoofed packets, source routed packets, redirect packets
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
# Turn off IP forwarding
/bin/echo "0" > /proc/sys/net/ipv4/ip_forward
#====================================================================
# Rules
## LOOPBACK
# Allow unlimited traffic on the loopback interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#=======================================================================
## SYN-FLOODING PROTECTION
# This rule maximises the rate of incoming connections. In order to do
# this we divert tcp packets with the SYN bit set off to a user-defined
# chain. Up to limit-burst connections can arrive in 1/limit seconds
# ..... in this case 4 connections in one second. After this, one
# of the burst is regained every second and connections are allowed again.
# The default limit is 3/hour. The default limit burst is 5.
#
# iptables -N syn-flood
# iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
# iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
# iptables -A syn-flood -j DROP
## Make sure NEW tcp connections are SYN packets
# iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j LOG \
# --log-prefix "NonSYN New TCP: " --log-level warn
# iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP
#=====================================================================
## Fragments
# Deny and log all fragments except those from Fisher(nfs)(chg 11/9/01).
# iptables -A INPUT -i $IFACE -f -s $FISHER -j ACCEPT
iptables -A INPUT -i $IFACE -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i $IFACE -f -j DROP
#=====================================================================
## Anti-Spoofing
# Accept Broadcast Packets from Samba
iptables -A INPUT -i $IFACE -p udp -s $IPADDR -d $BROADCAST \
--dport 137:139 -j ACCEPT
#=======================================================================
## Zope
# Allow inbound
iptables -A INPUT -i $IFACE -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --dport 8021 -j ACCEPT
#=======================================================================
#==================================================================
# FTP
# Allow FTP Outbound
iptables -A INPUT -i $IFACE -p tcp --sport 21 -m state --state \
ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 21 -m state --state \
NEW,ESTABLISHED -j ACCEPT
# Active outbound FTP
iptables -A INPUT -i $IFACE -p tcp --sport 20 -m state --state \
ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 20 -m state --state \
ESTABLISHED -j ACCEPT
# Passive inbound and outbound FTP
iptables -A INPUT -i $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \
-m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \
-m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow inbound FTP
iptables -A INPUT -i $IFACE -p tcp --dport 21 -m state --state \
NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport 21 -m state --state \
ESTABLISHED -j ACCEPT
# Active inbound FTP
iptables -A INPUT -i $IFACE -p tcp --dport 20 -m state --state \
ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport 20 -m state --state \
ESTABLISHED,RELATED -j ACCEPT
>
> --------------------------------
> Jianping Zhu
> Department of Computer Science
> Univerity of Georgia
> Athens, GA 30602
> Tel 706 5423900
> --------------------------------
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )
>