[TriLUG] Firewall blues...

Mike McLean mamclean at eos.ncsu.edu
Tue Feb 19 17:35:09 EST 2002 

Chris, did you ever get it working?

Mike McLean wrote:
> 
> Ok, this may be superfluous, but here goes.  Ftp has two modes of
> operation: active and passive.  And here
> (http://www.slacksite.com/other/ftp.html) is a reasonable explanation of
> how each works.
> 
> As I understand it, your ftp-data port (20) is not connected TO by the
> client, but rather it is connected FROM -- i.e. in active mode ftp the
> SERVER connects from port 20 to some random port on the client. So,
> forwarding port 20 is unnecessary -- don't do it.
> 
> Clients connecting from behind a firewall will be using passive ftp.  So
> here is what you need to do to make this work:
> 
> 1)Configure your ftp server to:
>     a) report its ip address for external addresses as the external ip
> address of your masquerading firewall.
>     b) use a limited range of ports for passive connections.
> 2) open up and forward all ports in the chosen range
> 
> If you are using wu-ftpd, you can accomplish (1) by adding the following
> lines to /etc/ftpaccess (see the man page for ftpaccess)
>         passive address <internal ip>  10.0.0.0/8
>         passive address <external ip>   0.0.0.0/0
>         passive ports   0.0.0.0/0       14000   14100
> Here I'm assuming that your private network behind the masquerading
> firewall is 10.0.0.0/8, and I've chosen the port range 14000 to 14100
> for passive connections.  You can adjust the port range to your taste.
> The first line (the one for internal clients) is only necessary if you
> want passive ftp to work from clients on the private network.
> 
> Hope this helps some.....
> 
> Christopher Knowles wrote:
> >
> > OK, I've got an ipchains masquerading firewall.
> >
> > I need for two remote users to be able to ftp to a server that is, and must
> > remain inside the firewall.
> >
> > I've set up the rules to allow incoming ftp and ftp-data connections.
> >
> > I've set up portforwarding to forward ftp and ftp-data connections to the
> > firewall to that server.
> >
> > Now, users Able and Baker...
> >
> > Able is a newbie, and is naked on the internet, no protection, and he can ftp
> > in just fine.  Everything is good.
> >
> > Baker, he has a linux based ipchains firewall (and I've even used a Charlie
> > with iptables to the same effect).  He can log into the ftp server, but when
> > he tries to do a dir, pasv, or cd, get etc... it just hangs.  I can't find
> > any reference to the packets soming in with the logs.  (Any way to log
> > ipmasqadm?)
> >
> > Any ideas?  I would like Baker (and Charlie) to be able to get in to the ftp
> > server.
> >
> > CJK
> > _______________________________________________
> > TriLUG mailing list
> > http://www.trilug.org/mailman/listinfo/trilug
> _______________________________________________
> TriLUG mailing list
> http://www.trilug.org/mailman/listinfo/trilug

More information about the TriLUG mailing list