Gerd Foerster <[EMAIL PROTECTED]> wrote:
>
> I'm a bit confused about what port mode and passive mode is.
In normal port-mode FTP, the client asks the server to make a connection
back to it, on a port chosen by the client, in some high-port range.
In passive FTP, the client asks the server for a random port number that
it should make a connection to, and then connects to that port on the
server.
So you see, the difference in which end listens, and which end connects.
They are reversed.
> FTP works fine if data is tranferred on a connection initiated by the
> remote site (from port 20).
That is port-mode FTP. The server always uses 20 as its source port,
and connects to the port on which the client is listening. Since the
client is behind your masq firewall, your ip_masq_ftp module has
modified the PORT command sent by the client, to contain the actual
masqueraded port address.
> If the data connection is initiated by the masqueraded client the
> connection fails.
Passive FTP. This is the mode that *should* work without any effort on
your part. It is simply a masq client trying to connect to a remove
server, just like any other TCP connection. ip_masq_ftp does not get
involved.
> /var/log/messages lists messages like this:
>
> IP fw-fwd deny eth1 TCP <ftp-client>:1282 198.105.232.1:4284 L=44 S=0x00
> I=33050 F=0x0040 T=127
Your particular forward ruleset is too restrictive, and is denying the
outbound connection that your masq'd client is trying to make. The
client asked the server for a port, using the PASV command, and the
server responded that the client should connect to it on port 4284
(randomly chosen). Your client then attempted that connection, and was
denied by your masq firewall.
In order for a PASV connection to succeed, you must allow outbound
connections between any random ports 1024:65535 going from your client
to a remote server.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut
sometimes known as David DeSimone || butter quite like unrequited love."
http://www.dallas.net/~fox/ || -- Charlie Brown
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
