Description of Problem:
After upgrading to RH7.1 (on firewall) my inpchains scripts that used to
RH7.0 now fail links, lynx and wget with any site ftp://blah.blah. Netscape
X and Windows works, ftp and ncftp work as well.
Links,lynx and wget work on the firewall itself but behind the firewall.
These programs work within the internal netork.
I suspect it is because ip_masq_ftp is gone. I havent converted to iptables
yet, but it
looks like I will have to much sooner than planned.
Use the attached ipchains script on a test machine and try to access
ftp://ftp.redhat.de via links or lynx or do a wget on an ftp site (known to
Steps to Reproduce:
FTP port command failed (links)
Unable to access document (lynx)
wget (invalid port)
get to sites and/or download
Created attachment 21206 [details]
ipchains config file
With the 2.4 kernel, ip_masq_ftp has been renamed. HTH.
Sorry, you are right.
I've mixed up the "lsmod" config of a RHL 7.1 machine running the 2.2.19 kernel
and my workstation running the 2.4 kernel and iptables.
Your ipchains script is not affected, though. It's just that the protocol
specific masquerading support is not available.
IP masquerade helpers for ipchains are not available in the 2.4 kernel.
If you need to use any of the helper programs, you will need to switch
to iptables and use ftp conntracking, et al.
Alternative workaround: Use passive mode FTP in all software that supports
it. Consult the software documentation for each program that fails to
determine if it supports passive mode FTP or not.
Since I am not ready yet to switch to iptables your suggestion did the trick
with only one
exception. Links has no documentation, no man page to set passive mode.
I am re-opening this as a feature enhancement against links. I have installed
iptables and I still get a port command failed with links. While I am still
researching to see
if I did anything wrong , I was informed by the maintainer that links doesnt do
passive ftp. The only solution available is to not use links (e.g
ftp://ftp.isc.org) or come
up with some sort of proxy method to regain full functionality
links is not a program created here, and so it is unlikely we would add
support for passive mode FTP to it, especially when there are other tools
that work through passive ftp. It isn't my package however so not my call.
When changing packages, be sure to also assign to the new component owner
I've passed this feature request on to the links mailing list - maybe someone
has the time to add this before I do.
I replaced a minimal iptables with non-passive ftp support enabled. I switched
lynx and wget back to non-passive mode and they work. Astonishingly enough
links still gets a port command failed even with iptables. I am enclosing as an
attachment my working rc.firewall. You may want to pass this on to the links
people. I was
trying to make this work because I thought links was going to replace lynx.
ready for primetime.
Created attachment 22166 [details]