[TriLUG] Firewall blues...

Mike McLean mamclean at eos.ncsu.edu
Sun Feb 17 23:14:57 EST 2002


Ok, this may be superfluous, but here goes.  Ftp has two modes of
operation: active and passive.  And here
(http://www.slacksite.com/other/ftp.html) is a reasonable explanation of
how each works.

As I understand it, your ftp-data port (20) is not connected TO by the
client, but rather it is connected FROM -- i.e. in active mode ftp the
SERVER connects from port 20 to some random port on the client. So,
forwarding port 20 is unnecessary -- don't do it.

Clients connecting from behind a firewall will be using passive ftp.  So
here is what you need to do to make this work:

1)Configure your ftp server to:
    a) report its ip address for external addresses as the external ip
address of your masquerading firewall.
    b) use a limited range of ports for passive connections.
2) open up and forward all ports in the chosen range

If you are using wu-ftpd, you can accomplish (1) by adding the following
lines to /etc/ftpaccess (see the man page for ftpaccess)
	passive address <internal ip>  10.0.0.0/8 
	passive address <external ip>   0.0.0.0/0
	passive ports   0.0.0.0/0	14000	14100
Here I'm assuming that your private network behind the masquerading
firewall is 10.0.0.0/8, and I've chosen the port range 14000 to 14100
for passive connections.  You can adjust the port range to your taste. 
The first line (the one for internal clients) is only necessary if you
want passive ftp to work from clients on the private network.

Hope this helps some.....


Christopher Knowles wrote:
> 
> OK, I've got an ipchains masquerading firewall.
> 
> I need for two remote users to be able to ftp to a server that is, and must
> remain inside the firewall.
> 
> I've set up the rules to allow incoming ftp and ftp-data connections.
> 
> I've set up portforwarding to forward ftp and ftp-data connections to the
> firewall to that server.
> 
> Now, users Able and Baker...
> 
> Able is a newbie, and is naked on the internet, no protection, and he can ftp
> in just fine.  Everything is good.
> 
> Baker, he has a linux based ipchains firewall (and I've even used a Charlie
> with iptables to the same effect).  He can log into the ftp server, but when
> he tries to do a dir, pasv, or cd, get etc... it just hangs.  I can't find
> any reference to the packets soming in with the logs.  (Any way to log
> ipmasqadm?)
> 
> Any ideas?  I would like Baker (and Charlie) to be able to get in to the ftp
> server.
> 
> CJK
> _______________________________________________
> TriLUG mailing list
> http://www.trilug.org/mailman/listinfo/trilug



More information about the TriLUG mailing list