[TriLUG] Firewall blues...
Mike McLean
mamclean at eos.ncsu.edu
Tue Feb 19 17:35:09 EST 2002
Chris, did you ever get it working?
Mike McLean wrote:
>
> Ok, this may be superfluous, but here goes. Ftp has two modes of
> operation: active and passive. And here
> (http://www.slacksite.com/other/ftp.html) is a reasonable explanation of
> how each works.
>
> As I understand it, your ftp-data port (20) is not connected TO by the
> client, but rather it is connected FROM -- i.e. in active mode ftp the
> SERVER connects from port 20 to some random port on the client. So,
> forwarding port 20 is unnecessary -- don't do it.
>
> Clients connecting from behind a firewall will be using passive ftp. So
> here is what you need to do to make this work:
>
> 1)Configure your ftp server to:
> a) report its ip address for external addresses as the external ip
> address of your masquerading firewall.
> b) use a limited range of ports for passive connections.
> 2) open up and forward all ports in the chosen range
>
> If you are using wu-ftpd, you can accomplish (1) by adding the following
> lines to /etc/ftpaccess (see the man page for ftpaccess)
> passive address <internal ip> 10.0.0.0/8
> passive address <external ip> 0.0.0.0/0
> passive ports 0.0.0.0/0 14000 14100
> Here I'm assuming that your private network behind the masquerading
> firewall is 10.0.0.0/8, and I've chosen the port range 14000 to 14100
> for passive connections. You can adjust the port range to your taste.
> The first line (the one for internal clients) is only necessary if you
> want passive ftp to work from clients on the private network.
>
> Hope this helps some.....
>
> Christopher Knowles wrote:
> >
> > OK, I've got an ipchains masquerading firewall.
> >
> > I need for two remote users to be able to ftp to a server that is, and must
> > remain inside the firewall.
> >
> > I've set up the rules to allow incoming ftp and ftp-data connections.
> >
> > I've set up portforwarding to forward ftp and ftp-data connections to the
> > firewall to that server.
> >
> > Now, users Able and Baker...
> >
> > Able is a newbie, and is naked on the internet, no protection, and he can ftp
> > in just fine. Everything is good.
> >
> > Baker, he has a linux based ipchains firewall (and I've even used a Charlie
> > with iptables to the same effect). He can log into the ftp server, but when
> > he tries to do a dir, pasv, or cd, get etc... it just hangs. I can't find
> > any reference to the packets soming in with the logs. (Any way to log
> > ipmasqadm?)
> >
> > Any ideas? I would like Baker (and Charlie) to be able to get in to the ftp
> > server.
> >
> > CJK
> > _______________________________________________
> > TriLUG mailing list
> > http://www.trilug.org/mailman/listinfo/trilug
> _______________________________________________
> TriLUG mailing list
> http://www.trilug.org/mailman/listinfo/trilug
More information about the TriLUG
mailing list