Welcome, Guest. Please login or register.
Did you miss your activation email?
Saturday 30 November 2024, 06:13:31 pm

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  DNAT
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: DNAT  (Read 8786 times)
DrDamnit
Jr. Member
*
Offline Offline

Posts: 2


« on: Monday 14 December 2009, 11:05:22 am »

I created a port fowrad (DNAT) that just won't work for some reason.

Access from: Any
Target Type: Any Uplink
Filter Policy: ALLOW
Service: User Defined, tcp 990
Translate to IP: 192.168..
DNAT Policy: DNAT
Port Range {blank}
Status: Enabled.

grc.com sheilds up port scan says that this port is stealth. nmap from outside the network shows no response. and I cannot log into the FTPS server that is behind the firewall. This all used to work when I had EFW 2.x RC1. Upgraded, and have had problems ever since.

What am I doing wrong?
Logged

DrDamnit
EFW Community version 2.3
Running on a Dell Optiplex 280 P4, 512MB RAM
Ed34222
Jr. Member
*
Offline Offline

Posts: 2


« Reply #1 on: Wednesday 31 March 2010, 03:05:13 am »

I created a port fowrad (DNAT) that just won't work for some reason.

Access from: Any
Target Type: Any Uplink
Filter Policy: ALLOW
Service: User Defined, tcp 990
Translate to IP: 192.168..
DNAT Policy: DNAT
Port Range {blank}
Status: Enabled.

grc.com sheilds up port scan says that this port is stealth. nmap from outside the network shows no response. and I cannot log into the FTPS server that is behind the firewall. This all used to work when I had EFW 2.x RC1. Upgraded, and have had problems ever since.

What am I doing wrong?


EFW has a bad snort pre-proccessor rule that flags FTPS and FTPES as bad, and another one that bounces the packets instead of just giving a false positive warning.  I have tried to override these entries in Snort.Conf; but, EFW puts them back whenever I restart the IPS.

If anyone has another file or location I can used to set up an override for that pre-processor please let me know.

The problem was documented in a snort forum post.  The solution was to change the pre-processor settings for the FTP Encryption test from yes to no.

To fix it, log into to your EFW using SSH, and modify /etc/snort/snort.conf.tmpl
 it looked like the following should have fixed it; but, it only turned of the warning:
preprocessor ftp_telnet: global \
    encrypted_traffic yes \
    inspection_type stateful

  And change the yes to no.

I don't know of my final solution was the best one or not; but, I remarked out all the ftp_telnet preprocessor lines and it worked.

If anyone out there has a better solution - please let us know.  Thanks;
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.07 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com