Notes From Zone 4

I set out tonight to rebuild the websites, and instead discovered a wee little gotcha in firewalling.

It seems that ftp builds not one but two connections, one for control and one for data. (It’s an old protocol, and security didn’t matter when everyone knew everyone).. Go see a book for the details, but the end result is that plain vanilla IPtables will NOT recognize the second connection (data) as RELATED to the first. Bill McCarty in Linux Firewalls, which I have been relying on seems to have made the same mistake.

I don’t have an ftp server inside the firewall, but we need to both upload and download to other servers. If you just enable port 21 –state NEW, you can start the session, but die on the PORT command.

I went googling, and sure enough the maintainers of iptables do ftp too. The secret is to modprobe in ip_nat_ftp, and ip_conntrack_ftp, and then magically ftp works.

Predictably these modules are not reloaded automatically on reboot. There’s a /etc/modules.conf file that the man page implies will cause them to be loaded, but there’s at least one level of indirection, because that’s one weird looking file. But that’s a problem for another day.

Tip of the day. Under Red Hat 8 sendmail.cf has moved to /etc/mail. No biggie, except nobody told Linuxconf. So our mail bounced for most of the day, until I thought to copy /etc/sendmail.cf to /etc/mail/sendmail.cf and magically the mail came through.

In the interim I got to read in the sendmail book about how easy it is to configure sendmail using M4. The DEA ought to visit those people. M4 allows you to write the gibberish that sendmail needs in a format that is (barely) comprehensible to mortal man. It is still a bassackwards pile of arcane gibberish.

Natheliess, the mail is coming through. It still seems to take several minutes to fetch said mail.. I have no clue why, but as long as it is indeed making it, I will defer the question till after the websites are up. Granolageek, including this log is up. Tonight comes therichards.org: lots of pages, but no software.