<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7650.28">
<TITLE>To overcome firewall reject rule</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="新細明體">H</FONT><FONT FACE="新細明體">i All,</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="新細明體">I have a problem with my firewall settings</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="新細明體">.</FONT><FONT FACE="新細明體"> </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="新細明體">Currently,</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="新細明體">tproxy can</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="新細明體">not</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="新細明體"> work with</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="新細明體">with</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="新細明體">FTP</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="新細明體"> in active mode.</FONT></SPAN><SPAN LANG="en-us"> </SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="新細明體">In my firewall settings, I have</FONT></SPAN><SPAN LANG="en-us"> </SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"> <FONT FACE="Times New Roman">…</FONT><FONT FACE="Times New Roman">…</FONT><FONT FACE="Times New Roman">…</FONT><FONT FACE="Times New Roman">…</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<UL DIR=LTR>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="新細明體"># Allow packets that belong to tproxy pass.</FONT><FONT FACE="新細明體"> </FONT></SPAN></P>
</UL>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="新細明體"> iptables -A INPUT -m tproxy -j ACCEPT</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="新細明體"> # Accept all traffic for tproxy?</FONT><FONT FACE="新細明體">?</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="新細明體"> #### Default Drop everything in INPUT chain</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="新細明體"> iptables -P INPUT DROP</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="新細明體"># NOTE the default DROP policy</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="新細明體"> iptables -P OUTPUT ACCEPT</FONT></SPAN><SPAN LANG="en-us"> </SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"> <FONT FACE="Times New Roman">…</FONT><FONT FACE="Times New Roman">…</FONT><FONT FACE="Times New Roman">…</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="新細明體">For Active FTP,</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="新細明體">my</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="新細明體"> proxy server is listening on behalf of the</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="新細明體">connected</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="新細明體">client</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="新細明體"> but somehow the FTP server cannot connect back due to th</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="新細明體">e firewall</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="新細明體">D</FONT><FONT FACE="新細明體">ROP</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="新細明體"> policy on INPUT.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="新細明體">What I want is to accept all tproxy traffic even with the default DROP</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="新細明體">policy.</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="新細明體">Will</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="Times New Roman">“</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="新細明體">iptables -A INPUT -m tproxy -j ACCEPT</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Times New Roman">”</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="新細明體"> impose any security concerns?</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="新細明體"></FONT></SPAN><SPAN LANG="en-us"> </SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="新細明體">Thanks</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="新細明體"> very much for any help.</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
</BODY>
</HTML>
<table><tr><td bgcolor=#ffffff><font color=#000000>TREND MICRO EMAIL NOTICE<br>
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.<br>
</font></td></tr></table>