proftpd: IPV6_V6ONLY: Protocol not available - Mandrake

This is a discussion on proftpd: IPV6_V6ONLY: Protocol not available - Mandrake ; Mandriva 2007, proftpd 1.30.-4 package. There's a 10 second delay in starting ftp sessions from every client I've tried: Firefox, Seamonkey, Filezilla, command line FTP on linux and XP) to the proftpd server that comes with Mandriva 2007. Once the ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: proftpd: IPV6_V6ONLY: Protocol not available

  1. proftpd: IPV6_V6ONLY: Protocol not available

    Mandriva 2007, proftpd 1.30.-4 package.

    There's a 10 second delay in starting ftp sessions from every client
    I've tried: Firefox, Seamonkey, Filezilla, command line FTP on linux
    and XP) to the proftpd server that comes with Mandriva 2007. Once the
    session starts there are no more delays. (All rpm updates
    for Mandriva are current.)

    Here's a typical session from the proftpd.log file, edited to protect
    the innocent:

    Jan 29 11:49:36 ftpserver_name1 proftpd[11012] ftp_server_name2
    (ftp_client[::ffff:131.215.12.39]): error setting IPV6_V6ONLY: Protocol
    not available
    Jan 29 11:49:46 ftpserver_name1 proftpd[11012] ftp_server_name2
    (ftp_client[::ffff:131.215.12.39]): FTP session opened.
    Jan 29 11:49:48 ftpserver_name1 proftpd[11012] ftp_server_name2
    (ftp_client[::ffff:131.215.12.39]): invalid CommandBufferSize size (0)
    given, resetting to default buffer size (512)
    Jan 29 11:49:49 ftpserver_name1 proftpd[11012] ftp_server_name2
    (ftp_client[::ffff:131.215.12.39]): ANON anonymous: Login successful.

    Note that the canonical name of the machine is ftpserver_name2 and the
    "hostname" and alias are ftpserver_name1. At some point soon that will
    be resolved but for now that's how it is. I don't think this is a name
    lookup issue as "nslookup" on either of them comes back instantly.

    Anyway, after the IPV6_V6ONLY error there is a 10 second delay
    before the ftp session opens. I want to eliminate this delay.
    How can that be done???


    Also, what is the source of the IPV6_V6ONLY nonsense? Since every
    client does this I'm guessing that it's something about the server,
    either ftpd itself or Mandriva 2007.

    Thanks,

    David Mathog



  2. Re: proftpd: IPV6_V6ONLY: Protocol not available

    On Mon, 29 Jan 2007 12:07:19 -0800, David Mathog wrote:
    > Mandriva 2007, proftpd 1.30.-4 package.
    >
    > There's a 10 second delay in starting ftp sessions from every client
    > before the ftp session opens. I want to eliminate this delay.
    > How can that be done???


    Well without seeing what you have setup, my suggestions,

    Do make sure that ip address Fully Qualified Domain Name (FQDN)
    and short name are in both node's hosts file.
    /etc/hosts for linux and guessing it would be
    c:\windows\system32\drivers\etc\hosts for your XP Home edition. Example:

    $ head /etc/hosts
    127.0.0.1 localhost
    192.168.2.1 fw.home.invalid fw
    192.168.2.30 wb.home.invalid wb
    ------------ --------------- --
    ^ ^ ^
    | | |
    ip addy FQDN short name



    click up a terminal
    su - root

    Fire up an editor of your choice and remove the
    search line from /etc/resolv.conf
    save and quit, and then

    echo NETWORKING_IPV6=no >> /etc/sysconfig/network
    echo NOZEROCONF=no >> /etc/sysconfig/network


    service avahi-daemon stop
    chkconfig --del avahi-daemon
    chkconfig avahi-daemon off
    service network stop

    service network start

    exit # to close root session
    exit # to close user terminal


    If you still have problems, we would like to set what you have set up.

    -------- standard debug network problem text/script follows: ------------
    dump_net.txt version 2.2



    Once you get your network running you may want to run xx one last time
    and save the output file for disk crash/new installs

    Might not hurt to save xx for one of a network debugging checklist step.


    The following script dumps your hardware status, network settings and
    config files used in network setup. We need them to troubleshoot your
    problem.

    If you are having to use windows to access Usenet:
    Format a diskette on the windows system.


    Copy the following xx.txt script into xx.txt using notepad.exe
    then save xx.txt to the diskette.

    Feel free to include the #**** start/end xx.txt script **** lines.

    If using linux for usenet access, su - root, copy script text into xx
    chmod +x xx
    ./xx

    and include a.txt (if on linux) or dosa.txt (if on windows) in your reply.


    NOTE: to become root, you need to do a
    su - root
    not su root


    #******** start of xx.txt script ****************

    _out_fn=a.txt

    function cat_fn
    {
    _fn=$1
    if [ -f $_fn ] ; then
    echo ======== cat $_fn ========== >> $_out_fn
    cat $_fn >> $_out_fn
    fi
    } # cat_fn

    function grep_fn
    {
    _fn=$1
    if [ -e $_fn ] ; then
    echo "======== tail -18 $_fn ==========" >> $_out_fn
    tail -18 $_fn >> $_out_fn
    fi
    } # grep_fn

    #********************************
    # check if commands are in $PATH
    # and if not add their path to $PATH
    #********************************

    _path=""
    type ifconfig > /dev/null 2>&1
    if [ $? -ne 0 ] ; then
    _path="${_path}/sbin:"
    fi

    type cat > /dev/null 2>&1
    if [ $? -ne 0 ] ; then
    _path="${_path}/bin:"
    fi

    type id > /dev/null 2>&1
    if [ $? -ne 0 ] ; then
    _path="${_path}/usr/bin:"
    fi

    if [ -n "$_path" ] ; then
    PATH=${_path}$PATH
    export PATH
    fi

    #********************************
    # check if root and logged in correctly
    #********************************

    _uid=$(id --user)

    if [ $_uid -ne 0 ] ; then
    echo " "
    echo "You need to be root to run $0"
    echo "CLick up a terminal and do the following:"
    echo " "
    echo "su - root"
    echo "$PWD/xx"
    exit 1
    fi

    root_flg=1

    if [ -n "$LOGNAME" ] ; then
    if [ "$LOGNAME" != "root" ] ; then
    root_flg=0
    fi
    fi

    if [ -n "$USER" ] ; then
    if [ "$USER" != "root" ] ; then
    root_flg=0
    fi
    fi

    if [ $root_flg -eq 0 ] ; then
    echo " "
    echo "Guessing you did a su root"
    echo "instead of a su - root"
    echo "please exit/logout of this session and do the following:"
    echo " "
    echo "su - root"
    echo "$PWD/xx"
    echo " "
    exit 1
    fi


    #********************************
    # main code starts here
    #********************************


    date > $_out_fn
    chmod 666 $_out_fn

    if [ -n "$_path" ] ; then
    echo ======== echo $PATH ========== >> $_out_fn
    echo $PATH >> $_out_fn 2>&1
    fi

    cat_fn /etc/product.id

    echo ======== cat /etc/*release ========== >> $_out_fn
    cat /etc/*release >> $_out_fn 2>&1

    echo ======== uname -rvi ============= >> $_out_fn
    uname -rvi >> $_out_fn

    echo ======== cat /etc/*version ========== >> $_out_fn
    cat /etc/*version >> $_out_fn 2>&1

    echo ======== cat /proc/version ========== >> $_out_fn
    cat /proc/*version >> $_out_fn 2>&1

    type lsb_release > /dev/null 2>&1
    if [ $? -eq 0 ] ; then
    echo ======== lsb_release -a ========== >> $_out_fn
    lsb_release -a >> $_out_fn 2>&1
    fi

    echo " " >> $_out_fn
    echo msec security level is $SECURE_LEVEL >> $_out_fn

    type chkconfig > /dev/null 2>&1
    if [ $? -eq 0 ] ; then
    echo ======== chkconfig --list ========== >> $_out_fn
    for _serv in avahi named tmdns ; do
    chkconfig --list | grep $_serv > /dev/null 2>&1
    if [ $? -eq 0 ] ; then
    echo "Double check if /$_serv/ that not running" >> $_out_fn
    fi
    done

    chkconfig --list | grep n >> $_out_fn
    chkconfig --list | tail -15 >> $_out_fn

    else
    echo ======== ls -o /etc/rc2.d ========== >> $_out_fn
    for _serv in avahi named tmdns ; do
    ls /etc/rc2.d/S* | grep $_serv > /dev/null 2>&1
    if [ $? -eq 0 ] ; then
    echo " /$_serv/ is running" >> $_out_fn
    fi
    done

    ls -o /etc/rc2.d >> $_out_fn
    fi

    _fn=/etc/nsswitch.conf
    if [ -e $_fn ] ; then
    echo ======== grep hosts: $_fn ========== >> $_out_fn
    grep hosts: $_fn >> $_out_fn
    fi

    cat_fn /etc/resolv.conf

    echo ======== hostname ========== >> $_out_fn
    hostname >> $_out_fn

    cat_fn /etc/hostname
    cat_fn /etc/HOSTNAME

    ls /etc/mod*.conf > /dev/null 2>&1
    if [ $? -eq 0 ] ; then
    echo "======== grep eth /etc/mod*.conf ==========" >> $_out_fn
    grep eth /etc/mod*.conf >> $_out_fn
    fi

    cat_fn /etc/dhclient-enter-hooks

    cat_fn /etc/host.conf

    echo ================ ifconfig -a =============== >> $_out_fn
    ifconfig -a >> $_out_fn

    echo ============== route -n ================= >> $_out_fn
    route -n >> $_out_fn

    cat_fn /etc/sysconfig/network/routes

    cat_fn /etc/sysconfig/network

    echo ============== head -15 /etc/hosts =============== >> $_out_fn
    head -15 /etc/hosts >> $_out_fn

    cat_fn /etc/network/interfaces
    cat_fn /var/run/network/ifstate


    _cmd=""
    type ethtool > /dev/null 2>&1
    if [ $? -eq 0 ] ; then
    _cmd="ethtool"
    fi

    type mii-tool > /dev/null 2>&1
    if [ $? -eq 0 ] ; then
    _cmd="mii-tool -v"
    fi

    if [ -z "$_cmd" ] ; then
    echo ======== mii-tool/ethtool NOT INSTALLED ========== >> $_out_fn
    fi

    for nic in 0 1 2 ; do

    if [ -n "$_cmd" ] ; then
    $_cmd eth$nic > /dev/null 2>&1
    if [ $? -eq 0 ] ; then
    echo ======== $_cmd eth$nic ========== >> $_out_fn
    $_cmd eth$nic >> $_out_fn
    fi
    fi

    cat_fn /etc/sysconfig/network-scripts/ifcfg-eth$nic

    ifconfig eth$nic > /dev/null 2>&1
    if [ $? -eq 0 ] ; then
    set $(ifconfig eth$nic | tr [A-Z] [a-z])
    cat_fn /etc/sysconfig/network/ifcfg-eth-id-$5
    fi

    grep_fn /var/lib/dhcp/dhclient-eth${nic}.leases
    grep_fn /etc/dhcpc/dhcpcd-eth${nic}.info

    done


    cat_fn /etc/hosts.allow
    cat_fn /etc/hosts.deny
    echo "======= end of config/network data dump ===========" >> $_out_fn

    _dos_fn=$PWD/dos${_out_fn}
    awk '{print $0 "\r" }' $PWD/$_out_fn > $_dos_fn
    chmod 666 $_dos_fn


    echo " "
    echo "If posting via linux, post contents of $PWD/$_out_fn"
    echo "You might want to copy it to your account with the command"
    echo "cp $PWD/$_out_fn ~your_login"
    echo " "
    echo "If posting via windows, post contents of $PWD/$_dos_fn"
    echo " "
    echo "If using diskette,"
    echo "Copy $_dos_fn to diskette with the following commands:"
    echo " "
    echo "mkdir -p /floppy"
    echo "mount -t auto /dev/fd0 /floppy"
    echo "cp $_dos_fn /floppy"
    echo "umount /floppy "
    echo " "
    echo "and $_dos_fn is ready for windows from diskette"
    echo " "

    #*********** end of dump xx.txt script *********


    and then copy xx.txt to the diskette.

    On some linux distributions, you may need to get into the User/Group
    screen, show all users, double click root, create the password, and
    enable root. Root's password should never be the same as anyone elses.

    To move xx.txt from diskette to the linux box, click up a linux terminal
    su - root
    (root's passwd)

    mkdir -p /floppy
    mount -t auto /dev/fd0 /floppy
    tr -d '\015' < /floppy/xx.txt > xx
    chmod +x xx
    ../xx

    Back on the windows OS, you can cut/paste the a:\dosa.txt into your reply
    under windows.
    Do not attach it.

    If you are dual booting the box, you can copy xx.txt to linux from windows.
    Note: The following assumes /dev/hda1 is where windows is installed on the
    first partition on the C: drive

    mkdir -p /doze
    mount -t auto /dev/hda1 /doze
    tr -d '\015' < "/doze/whever/you saved/xx.txt" > xx
    umount /doze

    On windows you can read dosa.txt from a linux partition if you installed
    windows linux driver from
    http://uranus.it.swin.edu.au/~jn/linux/explore2fs.htm

  3. Re: proftpd: IPV6_V6ONLY: Protocol not available

    Bit Twister wrote:
    > On Mon, 29 Jan 2007 12:07:19 -0800, David Mathog wrote:
    >> Mandriva 2007, proftpd 1.30.-4 package.
    >>
    >> There's a 10 second delay in starting ftp sessions from every client
    >> before the ftp session opens. I want to eliminate this delay.
    >> How can that be done???

    >
    > Well without seeing what you have setup, my suggestions,


    Well, your suggestions got rid of the IPV6_V6ONLY message but there's
    still a longish delay, about 6 seconds now. The change that
    did this was:

    at /etc/sysconfig/network
    NETWORKING=yes
    GATEWAY=XXX.XXX.XXX.XXX
    HOSTNAME=ftpserver_name1 <-this is actually fully qualified
    NETWORKING_IPV6=no
    NOZEROCONF=yes

    Where the last two lines were added. avahi was not running, so I guessed
    there was no reason to turn on zeroconf.

    I put entries in /etc/hosts and it made no difference, nor did removing
    the search in /etc/resolv.conf. Nor did rearranging entries in the
    hosts lines of /etc/nsswitch.conf (left at "hosts dns nis", but the only
    thing in hosts now is localhost.) Turning off the firewall also doesn't
    help. ping to either name starts instantly - it isn't acting like a
    name lookup problem.

    I timed the appearance of proftpd.log entries a bit better. On the
    linux ftp client side it did:

    % ftp ftpserver
    Connected to ftpserver_name1

    with the "connected" coming up rapidly, then it sat. Nothing appeared
    in the log file (by running "tail -1" over and over on the server side)
    until the client then showed:

    220 ProFTPD 1.3.0 Server (Test ftp server) [XXX.XXX.XXX.XXX]
    500 AUTH not understood
    Name

    at which point these appeared in the proftpd.log file:

    Jan 29 14:43:08 ftpserver_name1 proftpd[5348] ftpserver_name2
    (ftpclient[YYY.YYY.YYY.YYY]): FTP session opened.
    Jan 29 14:43:08 ftpserver_name1 proftpd[5348] ftpserver_name2
    (safserver.bio.caltech.edu[YYY.YYY.YYY.YYY]): invalid CommandBufferSize
    size (0) given, resetting to default buffer size (512)

    I don't believe this is a general network problem, possibly something
    about proftpd though.

    HMMM! The ftp client connects fast from my one Solaris machine, which
    does not have a firewall. All the other machines with this delay
    are running either Microsoft's firewall (XP machines) or iptables (Linux
    machines). So this may be a firewall issue on the client
    end. Test that hypothesis, on one linux client:

    service iptables stop
    ftp ftpserver
    (connects rapidly, no delay)

    Interesting. I can't do much with the XP firewall but the linux
    firewall can be reconfigured. I'll look into that tomorrow.

    Thanks,

    David Mathog

  4. Re: proftpd: IPV6_V6ONLY: Protocol not available

    On Mon, 29 Jan 2007 15:00:21 -0800, David Mathog wrote:
    >
    > cat /etc/sysconfig/network
    > NETWORKING=yes
    > GATEWAY=XXX.XXX.XXX.XXX
    > HOSTNAME=ftpserver_name1 <-this is actually fully qualified



    Acutally, no, it is not. There is no .domain part.
    I suggest

    HOSTNAME=ftpserver_name1.mylan.invalid
    with /etc/hosts entry something like
    192.168.1.10 ftpserver_name1.mylan.invalid ftpserver_name1
    Note: Any time hostname is changed, I recommend a reboot.

    Other services/deamons like a FQDN. I know Postifx likes one.

    The .invalid is recommended to help upline MTAs trash any email messages
    which may escape your lan.

    > NETWORKING_IPV6=no
    > NOZEROCONF=yes
    >
    > Where the last two lines were added. avahi was not running, so I guessed
    > there was no reason to turn on zeroconf.


    NOZEROCONF=yes is negitive logic. That turned it off which should
    have reduced your route -n list by two lines. See

    $ route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.2.0 0.0.0.0 255.255.255.0 U 10 0 0 eth0
    0.0.0.0 192.168.2.1 0.0.0.0 UG 10 0 0 eth0


    > I put entries in /etc/hosts and it made no difference, nor did removing
    > the search in /etc/resolv.conf.


    Forgot to mention, I would remove the search in client and server.

    > Nor did rearranging entries in the
    > hosts lines of /etc/nsswitch.conf (left at "hosts dns nis",


    That's pretty close to mine
    $ grep hosts: /etc/nsswitch.conf
    hosts: files dns nis

    < but the only thing in hosts now is localhost.)


    I suggest it should have your hostname.

    I recommend someting like
    127.0.0.1 localhost
    192.168.1.10 ftpserver_name1.mylan.invalid ftpserver_name1
    192.168.1.12 ftp_client_name_here.mylan.invalid ftp_client_name_here
    in the hosts file on the client and ftp server.

    > I don't believe this is a general network problem, possibly something
    > about proftpd though.


    Well, proftpd does dynamic module loading. You might time the second
    attempt to see if it loads faster. Then again I have

    # chkconfig --list proftpd
    proftpd 0ff 1ff 2ff 3n 4n 5n 6ff

    Runnlevel is
    $ grep initdefault /etc/inittab | grep -v \#
    id:3:initdefault:

    > HMMM! The ftp client connects fast from my one Solaris machine, which
    > does not have a firewall. All the other machines with this delay
    > are running either Microsoft's firewall (XP machines) or iptables (Linux
    > machines). So this may be a firewall issue on the client
    > end. Test that hypothesis, on one linux client:
    >
    > service iptables stop
    > ftp ftpserver
    > (connects rapidly, no delay)



    Hmmm, how odd, I am running shorewall which has a raft of rules and I
    cannot see any delay with shorewall clear or shorewall restart
    It does take about 3 seconds from password to prompt within ftp.

    Connect time to Name (m2007:bittwister): is the same with/without shorewall
    on both host and client with no visable delay.

    Ftp server is a ghz cpu with 725 meg of memory running 100Mb/s nics.


  5. Re: proftpd: IPV6_V6ONLY: Protocol not available

    Bit Twister wrote:
    > On Mon, 29 Jan 2007 15:00:21 -0800, David Mathog wrote:


    >> HOSTNAME=ftpserver_name1 <-this is actually fully qualified

    >
    >
    > Acutally, no, it is not. There is no .domain part.


    What I meant was, in the REAL file it's fully qualified foo.blah.etc.
    I just didn't want to post the real name.

    >> NOZEROCONF=yes
    >>
    >> Where the last two lines were added. avahi was not running, so I guessed
    >> there was no reason to turn on zeroconf.

    >
    > NOZEROCONF=yes is negitive logic.


    Right, but since there's on ZEROCONF flag negative logic is all there is
    to work with. In any case, it isn't running, and I don't want it to run
    on this system.

    > Well, proftpd does dynamic module loading. You might time the second
    > attempt to see if it loads faster.


    It doesn't. It's always the same speed from the same remote client,
    except where the remote host firewall is turned of (as below).


    >
    >> HMMM! The ftp client connects fast from my one Solaris machine, which
    >> does not have a firewall. All the other machines with this delay
    >> are running either Microsoft's firewall (XP machines) or iptables (Linux
    >> machines). So this may be a firewall issue on the client
    >> end. Test that hypothesis, on one linux client:
    >>
    >> service iptables stop
    >> ftp ftpserver
    >> (connects rapidly, no delay)

    >
    >
    > Hmmm, how odd, I am running shorewall which has a raft of rules and I
    > cannot see any delay with shorewall clear or shorewall restart
    > It does take about 3 seconds from password to prompt within ftp.


    The ftp firewall rules could easily be screwed up on my machines. Please do

    iptables --list | grep ftp

    Here's what mine look like on a client FTP machine. This one runs no
    FTP server so it has none of those rules. Note I know there is some
    problem when it interacts with my ftp server (below) because wget
    hangs up right after wget emits "PASV ...". Conversely, this command
    works fine: wget ftp://ftp.ncbi.nlm.nih.gov/blast/blastftp.txt
    and goes right through the PASV step without any delay at all.

    ACCEPT tcp -- anywhere ftpclient tcp spt:ftp
    dpts:1024:65535 flags:!FIN,SYN,RST,ACK/SYN
    ACCEPT tcp -- anywhere ftpclient tcp
    spt:ftp-data dpts:1024:65535 state NEW
    ACCEPT tcp -- anywhere ftpclient tcp
    spt:ftp-data dpts:1024:65535
    ACCEPT tcp -- ftpclient anywhere tcp
    spts:1024:65535 dpt:ftp state NEW
    ACCEPT tcp -- ftpclient anywhere tcp
    spts:1024:65535 dpt:ftp
    ACCEPT tcp -- ftpclient anywhere tcp
    spts:1024:65535 dpt:ftp-data flags:!FIN,SYN,RST,ACK/SYN

    Here's what it is on one with an ftp server (where ftp_server in the
    original listing was the fully qualified hostname.):

    ACCEPT tcp -- anywhere ftp_server tcp spts:1024:65535
    dpt:ftp state NEW
    ACCEPT tcp -- anywhere ftp_server tcp spt:ftp-data
    state RELATED,ESTABLISHED
    ACCEPT tcp -- anywhere ftp_server tcp spts:1024:65535
    dpt:ftp
    ACCEPT tcp -- anywhere ftp_server tcp spt:ftp
    dpts:1024:65535 flags:!FIN,SYN,RST,ACK/SYN
    ACCEPT tcp -- anywhere ftp_server tcp spt:ftp-data
    dpts:1024:65535
    ACCEPT tcp -- ftp_server anywhere tcp spts:1024:65535
    dpt:ftp state NEW,ESTABLISHED
    ACCEPT tcp -- ftp_server anywhere tcp dpt:ftp-data
    state ESTABLISHED
    ACCEPT tcp -- ftp_server anywhere tcp spts:1024:65535
    dpt:ftp
    ACCEPT tcp -- ftp_server anywhere tcp spts:1024:65535
    dpt:ftp state NEW
    ACCEPT tcp -- ftp_server anywhere tcp spts:1024:65535
    dpt:ftp
    ACCEPT tcp -- ftp_server anywhere tcp spts:1024:65535
    dpt:ftp-data flags:!FIN,SYN,RST,ACK/SYN

    Again, wget to my ftp server from a Solaris machine without a firewall
    works properly.

    So I seem to be in dualing firewall rules hell. :-(.

    Thanks,

    David Mathog

  6. Re: proftpd: IPV6_V6ONLY: Protocol not available

    On Tue, 30 Jan 2007 09:03:16 -0800, David Mathog wrote:
    >
    > Right, but since there's on ZEROCONF flag negative logic is all there is
    > to work with. In any case, it isn't running, and I don't want it to run
    > on this system.


    Me neither. See without the flag
    grep zero /etc/sysconfig/network
    # NOZEROCONF=no

    reboot ; exit

    route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.2.0 0.0.0.0 255.255.255.0 U 10 0 0 eth0
    169.254.0.0 0.0.0.0 255.255.0.0 U 10 0 0 eth0
    127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
    0.0.0.0 192.168.2.1 0.0.0.0 UG 10 0 0 eth0

    now, after removing # in /etc/sysconfig/network

    grep zero /etc/sysconfig/network
    NOZEROCONF=no

    service network restart
    Shutting down interface eth0: [ OK ]
    Shutting down loopback interface: [ OK ]
    Bringing up loopback interface: [ OK ]
    Bringing up interface eth0: [ OK ]

    route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.2.0 0.0.0.0 255.255.255.0 U 10 0 0 eth0
    0.0.0.0 192.168.2.1 0.0.0.0 UG 10 0 0 eth0


    > The ftp firewall rules could easily be screwed up on my machines.


    Or if using names, the node can not resovolve the name very quickly.
    That is why I suggested /etc/hosts file on client and server
    to have client/server FQDNs with ip and short names.

    $ head /etc/hosts
    127.0.0.1 localhost
    192.168.2.1 fw.home.invalid fw
    192.168.2.30 wb.home.invalid wb
    192.168.2.60 scsi.home.invalid scsi
    192.168.2.206 2006oe.home.invalid 2006oe
    192.168.2.210 kubuntu.home.invalid kubuntu
    192.168.2.211 ubuntu.home.invalid ubuntu
    192.168.2.212 ulteo.home.invalid ulteo
    192.168.2.213 fedora.home.invalid fedora
    192.168.2.215 m2007.home.invalid m2007

    $ cat /etc/sysconfig/network
    NETWORKING=yes
    NETWORKING_IPV6=no
    NOZEROCONF=no
    NEEDHOSTNAME=no
    GATEWAY=192.168.2.1
    GATEWAYDEV=eth0
    HOSTNAME=wb.home.invalid

    > Please do
    > iptables --list | grep ftp


    [root@m2007 ~]# iptables --list | grep ftp
    ACCEPT tcp -- wb.home.invalid anywhere tcp dpt:ftp

    [root@wb ~]# iptables --list | grep ftp
    ACCEPT tcp -- wb.home.invalid anywhere tcp dpt:ftp



    # cd /etc/shorewall

    # tail -4 rules
    ACCEPT net:$GUEST_IP $FW tcp ssh
    ACCEPT net:$GUEST_IP $FW udp ssh
    ACCEPT net:$GUEST_IP $FW udp 518
    ACCEPT net:$GUEST_IP $FW tcp ftp

    # grep GUEST_IP params
    GUEST_IP=192.168.2.30


    # tail -1 interfaces
    net $NET_NIC $NET_BCAST $NET_OPTIONS

    # grep net_ params
    NET_BCAST=192.168.2.255
    NET_NIC=eth0
    NET_OPTIONS=routefilter,tcpflags,logmartians

+ Reply to Thread