[ previous ] [ next ] [ threads ]
 From:  "Manuel Kasper" <mk at neon1 dot net>
 To:  <pbako at 2alpha dot com>
 Cc:  <list at m0n0wall dot neon1 dot net>
 Subject:  Re: [m0n0wall] pb4 update
 Date:  Mon, 10 Mar 2003 10:03:37 +0100 (CET)
Hi Peter,

> 2000).  Login went without any problems but when I attempted to do a
> "dir" or a "put" command I simply got back a "425 Can't build data
> connection: No route to host." error.  The last time I saw a "no route

Ooops, sorry - I forgot to mention the fact that you have to use passive
FTP on the firmware upload page... Since there are no rules to permit
outbound connections from the firewall to LAN, it's unable to build the
data connection in case of active mode FTP. This is just additional
security paranoia and may change in a future release, but for now, passive
FTP must be used.
AFAIK, the Windows 2000 command line FTP client cannot even do passive
FTP, so you must use a real FTP client ;) like for example SmartFTP.

> Figuring the same trick might work here I browsed to the exec.php script
> and executed a "/sbin/ipf -Fa" command.  Wow!  This immediately killed
> the unit! No response to http, ftp, or even ping!

When you execute /sbin/ipf -Fa, you flush all rules. This means that the
default rule will be in effect, and ipfilter in the m0n0wall kernel is
compiled with default to deny. This is again security paranoia; let's
assume the PHP scripts fail to load new rules after having flushed the old
ones (e.g. because of a syntax error), then a default to accept rule would
leave the firewall wide open. So that's why the unit didn't respond
anymore after the ipf -Fa.

Hope this answers your questions.