I installed ipchains in my raq's without problems.
But now some users start to complain that they cannot ftp to their sites. When i try it myself i have no problems at all.

Now i read somewhere that is should add all ip's that my raq uses like:
ipchains -A input -i eth0 -p udp --source xxx.xxx.xxx.xx -j ACCEPT

Can anyone confirm if that is correct ? I do use quite some ip's so i like to be sure before i'm typing all afternoon :)

i've noticed after installing ipchains, pasv mode on the ftp will not work. not exactly sure on it but haven't found a solution yet on the forum aside from just disabling pasv in my ftp client :eek:

I have passive mode enabled and have no problems, my custer does with the same program :eek:

I used pmfirewall to configure ipchains.

The first time I installed it, I accidentally locked out everyone for every service located NOT on the main ip-address. I didn't notice because my own ip-address has access no matter what :rolleyes:

So I edited the pmfirewall.conf and pmfirewall.rules.local to include the other ip's.
To add an entire range of ip-address you can use netmasks.
I added 16 ip's like this:
111.111.111.111/255.255.255.240

That's a hell of a lot easier then adding every single one.

can you show the complete line ?
btw it looks like the problems are caused by the firewall of my client, although he did'nt change anything, can it be that my firewall triggers his :confused:

He uses "Zone-Alarm" and gets the next message
The firewall has blocked Internet access to your computer (TCP Port 1404)
from custmersite.com (xx.xx.xx.52) (FTP Data) [TCP Flags: S].

User: custermersname
Program: WS_FTP 95
Time: 9-2-2002 14:24:42

He says he can only login with the firewall off and the passive mode disabled, no other combination
:(

Basically it's his problem then. Somehow he should configure his firewall to let custmersite.com (xx.xx.xx.52) in I guess, but I don't know Zone-Alarm or any of those win32 things

And the one line is actually many lines, kinda hard to put up here. Did you use pmfirewall to configure ipchains? Or did you do it yourself?

Originally posted by dutchie
He uses "Zone-Alarm" and gets the next message
The firewall has blocked Internet access to your computer (TCP Port 1404)
from custmersite.com (xx.xx.xx.52) (FTP Data) [TCP Flags: S].
Just have him add the server ip into his advanced security settings. Zone alarm will then ignore the connection attempts and let it come in. You'll still have problems with passive, unless you open the range of ports that the ftp program is going to try to use for data connections.

Or you can add a line at the beginning of your rules to allow his ip for all ports or for that range of ports.. Not sure what the advantage of passive is since it messes with all those ports..

Shortport

ZONEALARM : OUTGOING FTP

SECURITY > INTERNET > CUSTOMISE > INTERNET ZONE SETTINGS > ALLOW OUTGOING TCP 21

And of course under programs allow connect for the internet should be green ticks for both local and internet

Thanks for all the great help !

I figured indeed it was his problem, and i didn't want to change anything about ipchains as it was working fine for me and almost all other users.
He managed to solve the problem with zonealarm, so its fixed.

I hope the other users that are complainig suddenly after i installed ipchains are all "passive mode" cases ;)

yikes they're not i guess.
I tell customers with ftp problems to switch passive mode oof in ws-ftp.
But what about Cute-ftp users ? what settings should they change ?