Fuzzy Fox
Thu, 11 Feb 1999 15:56:24 -0500
Gerd Foerster <[EMAIL PROTECTED]> wrote: > > I'm a bit confused about what port mode and passive mode is. In normal port-mode FTP, the client asks the server to make a connection back to it, on a port chosen by the client, in some high-port range. In passive FTP, the client asks the server for a random port number that it should make a connection to, and then connects to that port on the server. So you see, the difference in which end listens, and which end connects. They are reversed. > FTP works fine if data is tranferred on a connection initiated by the > remote site (from port 20). That is port-mode FTP. The server always uses 20 as its source port, and connects to the port on which the client is listening. Since the client is behind your masq firewall, your ip_masq_ftp module has modified the PORT command sent by the client, to contain the actual masqueraded port address. > If the data connection is initiated by the masqueraded client the > connection fails. Passive FTP. This is the mode that *should* work without any effort on your part. It is simply a masq client trying to connect to a remove server, just like any other TCP connection. ip_masq_ftp does not get involved. > /var/log/messages lists messages like this: > > IP fw-fwd deny eth1 TCP <ftp-client>:1282 198.105.232.1:4284 L=44 S=0x00 > I=33050 F=0x0040 T=127 Your particular forward ruleset is too restrictive, and is denying the outbound connection that your masq'd client is trying to make. The client asked the server for a port, using the PASV command, and the server responded that the client should connect to it on port 4284 (randomly chosen). Your client then attempted that connection, and was denied by your masq firewall. In order for a PASV connection to succeed, you must allow outbound connections between any random ports 1024:65535 going from your client to a remote server. -- [EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut sometimes known as David DeSimone || butter quite like unrequited love." http://www.dallas.net/~fox/ || -- Charlie Brown --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]