[masq] FW: [masq] FTP and other services

[Brian R Tuley]

I've got the ip_masq_ftp module loaded (in kernel 2.0.34) and have no 
problems FTPing as a client behind the the masq box, or connecting to the 
FTP service running on the masq'ed box from either side...  As long as the 
the username making the connection has an account on the linux box.

-brian
[EMAIL PROTECTED]

-Original Message-
From:   Fred Viles [SMTP:[EMAIL PROTECTED]]
Sent:   Friday, February 05, 1999 4:22 PM
To: [EMAIL PROTECTED]; David Dionne
Subject:Re:  [masq] FTP and other services

On 5 Feb 99, at 14:22, David Dionne wrote about
"[masq] FTP and other services":

| Hey, I am running masq at home with a 192.168.1.0/24 network.  Everything
| seems to be working fine but ftp.  I seem to remember hearing something
| about ftp and mabey some other services that are affected as well.  Does
| anyone have any suggestions?

If you are talking about an ftp client running on a masqueraded
machine, talking to an external server, only passive mode will work
unless you load the ip_masq_ftp FTP masq module.

If you are talking about running an FTP server on a masqueraded
machine, you need to use port-forwarding (the IPPORTFW patch for
2.0.x kernels) to forward incoming connections correctly.  That will
enable external clients using non-passive mode to work.  But PASV
mode will not work for the external clients.  To support external
PASV mode clients, further patches to the kernel and the ip_masq_ftp
module are required.

- Fred Viles mailto:[EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP

[Mark W. Jeanmougin]

On Thu, 4 Feb 1999, Jon Oransky wrote:
 Ok, I have IP Masq set up on my linux machine, I also have 2 other
 computers, one w/ NT the other w/ 95.  What is the best way to set up an
 FTP site on my NT machine w/ IP Masq.  Some people have told me to just run
 SAMBA and map the files from the ftp site onto my NT machines drive.  Would
 this be the ideal way of doing it? or should I use ipautofw to forward all
 incoming to port 21 to my NT machine?  If ipautofw is a good solution, what
 do I need to do exactly to set this up?

I'm not sayting that it's the "best" way as you put it, but the way I did
it for my machine was to use samba, and just map things into my /home/ftp
directory.

Good luck, and keep us posted,

MarkJ


``We can't be so fixated on our desire to preserve the rights
of ordinary Americans ...'' -- Bill Clinton (USA TODAY,
11 March 1993, page 2A)

My main goal has always been to be in the position that I'm not
ashamed of what I've done or am doing, and that I'm doing the
best I can. -- Linus Torvalds

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] FTP and firewalls

[Clifford Hammerschmidt]

At 10:14 PM 1/28/99 -0600, Fuzzy Fox wrote:
Clifford Hammerschmidt [EMAIL PROTECTED] wrote:

 ipchains -A input -j ACCEPT -y -p tcp -s 0.0.0.0/0 20 -d yourip 1024:65535
 
 This is also the same an -P input ACCEPT...  your allowing anyone to
 connect from their port 20 (easy enough to spoof) to your box on any
 port above 1023...  not a great idea.

I think he later changed it to encompass only the masq range, 61000-
65535, but still, the point is valid.  Even with the looser ruleset,
though, few important services are above the 1024 port range.  The only
ones that comes to mind are NFS and X, both of which can be specifically
blocked.  I wouldn't worry so much.

 Someone using NMap could scan all your upper ports easily.

And what would they find there?

Any backdoor or Trojan installed on your system by tampered code or
previous hacks.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] FTP and firewalls

[Fred Viles]

On 28 Jan 99, at 22:28, Tim Fletcher wrote about
"Re:  [masq] FTP and firewalls":

|  But this chnage won't help a masqueraded client, because there is no 
|  way to get the packet forwarded to the internal IP.  So you seem to 
|  be talking about running the FTP client on the masquerading box 
|  itself?  If so, masqerading doesn't enter into it.
| 
| Oh it does
| 
| I run on the ipmasqed firewall: 

The firewall machine is not masqed, it is the masqER.

| /sbin/ipchains -D input -j ACCEPT  -p tcp -y -s 0.0.0.0/0 20 -d myip 6:65535
| and then I can ls a dir on sunsite 

Running ftp client on some machine whose IP is *not* "myip"?  
Assuming so...

| I then run:
| /sbin/ipchains -I input -j ACCEPT  -p tcp -y -s 0.0.0.0/0 20 -d myip 6:65535
| and I can't ls a dir on sunsite 
|...

Well, of course for masquerading to work at all, the firewall must 
accept incoming packets for (at least) the range of ports used by 
masqerading.  If replies to masqueraded outgoing packets are not 
accepted, they can't be demasqueraded/forwarded.

Since merely adding this accept rule allows ftp PORT commands to 
work, you must be running the ip_masq_ftp module.  But the fact that 
you *need* to add it is surprising.  I would have thought some other 
less specific input rule would have accepted these packets.

|...

- Fred Viles mailto:[EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] FTP timeout?

[Charles Curley]

I have been running ip masquerading for about a month. I have noticed a
glitch which may be a timeout issue: when I transfer a large file (10+Mb)
using Netscape on NT, the whole file appears to transfer. Then the little
window just hangs there. If I copy the file before hitting cancel (to
preserve it) it is only partially intact. I can copy the same file in with
a direct connection with no problem, and I only have seen this when copying
via the IP masquerading computer.

Is this an IP masquerading timeout issue? If so, how can I solve it?

Thanks.



-- C^2

I have sworn upon the altar of God eternal hostility against every form of
tyranny over the mind of man.
-- Thomas Jefferson, letter to Benjamin Rush, 1800 A.D.

Thomas Jefferson, Patron Saint of the Internet:
http://w3.trib.com/~ccurley/Jefferson.html
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP timeout?

[Charles Curley]

At 10:02 PM 1/16/99 -0800, Fred Viles wrote:
On 16 Jan 99, at 15:21, Charles Curley wrote about
"[masq] FTP timeout?":

| I have been running ip masquerading for about a month. I have noticed a
| glitch which may be a timeout issue: when I transfer a large file (10+Mb)
| using Netscape on NT, the whole file appears to transfer. Then the little
| window just hangs there.

This will happen if you are not running the ip_masq_ftp "helper" 
module.  As you guessed, it is probably the control connection timing 
out while the lengthy data connection is going on.

Does lsmod show ip_masq_ftp running?

ip_masq_ftp is built into the kernel, not a module.


-- C^2

I have sworn upon the altar of God eternal hostility against every form of
tyranny over the mind of man.
-- Thomas Jefferson, letter to Benjamin Rush, 1800 A.D.

Thomas Jefferson, Patron Saint of the Internet:
http://w3.trib.com/~ccurley/Jefferson.html
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP timeout?

[Steffen Plotner]

Hi

I have had the same problem with kernel 2.0.29 and the masq_ftp module -
since I have upgraded the kernel to 2.0.33 and also loaded masq_ftp
module the problem went away - does anybody know what exactly it takes
to fix the timeout problem?  I am also running diald.

Thanks

 -Original Message-
 From: Charles Curley [SMTP:[EMAIL PROTECTED]]
 Sent: Saturday, January 16, 1999 5:22 PM
 To:   [EMAIL PROTECTED]
 Subject:  [masq] FTP timeout?
 
 I have been running ip masquerading for about a month. I have noticed
 a
 glitch which may be a timeout issue: when I transfer a large file
 (10+Mb)
 using Netscape on NT, the whole file appears to transfer. Then the
 little
 window just hangs there. If I copy the file before hitting cancel (to
 preserve it) it is only partially intact. I can copy the same file in
 with
 a direct connection with no problem, and I only have seen this when
 copying
 via the IP masquerading computer.
 
 Is this an IP masquerading timeout issue? If so, how can I solve it?
 
 Thanks.
 
 
 
   -- C^2
 
   I have sworn upon the altar of God eternal hostility against
 every form of
 tyranny over the mind of man.
 -- Thomas Jefferson, letter to Benjamin Rush, 1800 A.D.
 
 Thomas Jefferson, Patron Saint of the Internet:
 http://w3.trib.com/~ccurley/Jefferson.html
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 For daily digest info, email [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP timeout?

[Fred Viles]

On 16 Jan 99, at 15:21, Charles Curley wrote about
"[masq] FTP timeout?":

| I have been running ip masquerading for about a month. I have noticed a
| glitch which may be a timeout issue: when I transfer a large file (10+Mb)
| using Netscape on NT, the whole file appears to transfer. Then the little
| window just hangs there.

This will happen if you are not running the ip_masq_ftp "helper" 
module.  As you guessed, it is probably the control connection timing 
out while the lengthy data connection is going on.

Does lsmod show ip_masq_ftp running?

|...

- Fred Viles mailto:[EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] FTP timeout?

[Charles Curley]

It may have been another problem entirely.

I compiled ip masquerading into the kernel to speed things up. What I
didn't know is that that only compiles the basic masquerading stuff into
the kernel. There is no option to make ip_masq_ftp et alia part of the
kernel. Since (having assumed otherwise) I took the modprobe statements out
of my rc.local initialization script, they weren't loaded. Since figuring
out (with the help of another member of the list) that those modules and
the modprobe statments are necessary, I loaded the modules manually. I
think that may have solved the problem, but haven't yet tested it on a
monster file.


At 09:31 PM 1/16/99 -0700, Charles Shoemaker wrote:
This hasn't happened to me since upgrading to kernel 2.0.  May I 
suggest a couple of things:  

You can watch the masq action with "ipfwadm -M -l" (little el) and 
see the port timings.  

You might try a large file transfer with ftp on you NT machine, and 
see if you have the same problem.  If you do, it's in masquerade, if 
not, it's in Netscape.

Also, activate the masq ftp module in your rc.local with 
"/sbin/modprobe ip_masq_ftp.o".

Let us know.
Charlie Shoemaker
PS  I spaced out your patch question.  I'll get a reply to you 
tomorrow.  (If I remember correctly, go to /usr/src/linux and type 
"patch -p0 -l  ../patchfile".)  Better details tomorrow morning.

 Date:  Sat, 16 Jan 1999 15:21:57 -0700
 To:[EMAIL PROTECTED]
 From:  Charles Curley [EMAIL PROTECTED]
 Subject:   [masq] FTP timeout?

 I have been running ip masquerading for about a month. I have noticed a
 glitch which may be a timeout issue: when I transfer a large file (10+Mb)
 using Netscape on NT, the whole file appears to transfer. Then the little
 window just hangs there. If I copy the file before hitting cancel (to
 preserve it) it is only partially intact. I can copy the same file in with
 a direct connection with no problem, and I only have seen this when copying
 via the IP masquerading computer.
 
 Is this an IP masquerading timeout issue? If so, how can I solve it?
 
 Thanks.
 
 
 
  -- C^2
 
  I have sworn upon the altar of God eternal hostility against every form of
 tyranny over the mind of man.
 -- Thomas Jefferson, letter to Benjamin Rush, 1800 A.D.
 
 Thomas Jefferson, Patron Saint of the Internet:
 http://w3.trib.com/~ccurley/Jefferson.html
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 For daily digest info, email [EMAIL PROTECTED]
 
"Some people crave baseball - I find this unfathomable - but I can
easily understand why a person could get excited about playing a
bassoon."  --  Frank Zappa
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]



-- C^2

I have sworn upon the altar of God eternal hostility against every form of
tyranny over the mind of man.
-- Thomas Jefferson, letter to Benjamin Rush, 1800 A.D.

Thomas Jefferson, Patron Saint of the Internet:
http://w3.trib.com/~ccurley/Jefferson.html
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] FTP timeout?

[mumford]

 At 10:02 PM 1/16/99 -0800, Fred Viles wrote:
 On 16 Jan 99, at 15:21, Charles Curley wrote about
 "[masq] FTP timeout?":
 
 | I have been running ip masquerading for about a month. I have noticed a
 | glitch which may be a timeout issue: when I transfer a large file (10+Mb)
 | using Netscape on NT, the whole file appears to transfer. Then the little
 | window just hangs there.
 
 This will happen if you are not running the ip_masq_ftp "helper" 
 module.  As you guessed, it is probably the control connection timing 
 out while the lengthy data connection is going on.
 
 Does lsmod show ip_masq_ftp running?
 
 ip_masq_ftp is built into the kernel, not a module.

Um, I'm no expert on the masquerading helper modules, but I'm pretty sure
it's not possible (easily) to compile this in as part of the kernel.  I do
know for sure that there is no way to do it with the standard config.

You might want to double check your setup.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] IP Masq - FTP problems

[Carl Petersen]

Yes, if i fire up an ftp session on one of the clients the "Used By"
field increments.

I have experimented and found out that only passive ftp sessions work.
From a linux box on the lan an ftp session must be switched to "passive"
before I "NLIST" a directory.

Perhaps this is the way it's supposed to work?

Next I'll look at the ip_masq_ftp source code and see just what its 
doing?

--Carl 

David A. Ranch wrote:
 
 No.. to be honest, I don't know what the "Pages" and "Used By"
 fields mean though, when a module is being used, the "Used
 By" field will increment per client.
 
 So, when you try to FTP out to the internet on port 21, does
 your ip_masq_ftp counter increase?
 
 --David
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] IP Masq - FTP problems

[David A. Ranch]

I have experimented and found out that only passive ftp sessions work.
From a linux box on the lan an ftp session must be switched to "passive"
before I "NLIST" a directory.

Perhaps this is the way it's supposed to work?

No, active FTPs work for most people as long as they are FTPing to
a remote site on port 21.  Are you using a strong IPFWADM ruleset?
Are you allowing port 20 out?

--DAvid
..
|  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]  |
!!
`- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] Ftp across gateway machine

[Doug Lumpkin]

Whenever I try to telnet or ftp to a box behind my gateway I end up with the
following error messages:

Jan 14 02:06:26 takamine in.telnetd[1550]: connect from unknown
Jan 14 02:06:32 takamine in.telnetd[1551]: warning: can't get client address:
Connection reset by peer
Jan 14 02:06:32 takamine in.telnetd[1551]: connect from unknown
Jan 14 02:06:44 takamine in.telnetd[1552]: warning: can't get client address:
Connection reset by peer

Ping seems to work ok though... any ideas?
Thanks,
Doug

I have the following set-up:

Linux box (gateway RH 5.1)  -- ppp0 (12.7.120.83)
   eth0 (12.7.121.239)
Linux Box (takamine)   -- eth0 (12.7.121.240)
Win 95 -- eth (12.7.121.241)
-
My masq setup is:

echo "ip_masq"
/sbin/ipfwadm -F -f
/sbin/ipfwadm -F -p accept
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp.o
/sbin/modprobe ip_masq_raudio.o
/sbin/modprobe ip_masq_irc.o
/sbin/modprobe ipip.o
/sbin/modprobe ip_alias.o
/sbin/ipfwadm -F -a  m -S 12.7.121.0/24 -D 0.0.0.0/0 -W ppp0
/sbin/ifconfig eth0 12.7.121.239
/sbin/route add -net 12.7.121.0
-
And my routing table looks like:

Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
tc1.pacinfo.com *   255.255.255.255 UH0  00 ppp0
12.7.121.0  *   255.255.255.0   U 0  08 eth0
127.0.0.0   *   255.0.0.0   U 0  02 lo
default *   0.0.0.0 U 0  0   17 ppp0
default tc1.pacinfo.com 0.0.0.0 UG0  00 ppp0
--


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] IP Masq - FTP problems

[David A. Ranch]

No, I'm taking about masqueraded client machines connecting to ftp
servers on the internet. Some ftp clients work some just hang; usually
on a LIST command.

What is your Linux box's MTU on the Internet connection?

--David
..
|  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]  |
!!
`- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] IP Masq - FTP problems

[Carl Petersen]

lsmod gives the folling result:
Module  Pages   Used By
ax88140 3   1 (autoclean)
ip_masq_vdo_live1   0
ip_masq_cuseeme 1   0
ip_masq_irc 1   0
ip_masq_raudio  1   0
ip_masq_ftp 1   0

This is from a running system.  Should the helpers be "used by"
some process?

--Carl

Fred Viles wrote:
 
 That should work fine.  You've verified that the FTP masquerade
 "helper" module (ip_masq_ftp) is loaded?  lsmod should show it.  If
 it's not loaded then masqueraded FTP clients will only work in
 passive mode.
 
 - Fred Viles mailto:[EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] IP Masq - FTP problems

[Corlew, David (GEIS)]

When NOT using PASV, I believe the problem has more to do with the use of
non-standard FTP ports than anything else. From my experience, the masq
software uses a different technique when setting up the masq routing entries
for non-standard versus standard FTP port usage. This causes demasquerading
problems when a FTP server trys to do the data connection back to the client
(using of course, ip info from a prior masq'd PORT command).

Provided that the server can support PASV mode, that would be the favored
solution. Unless your friend's server could be altered to use the standard
21 listening port (which appears to satisfy masq). I, for one would welcome
a solution for non-PASV and non-standard PORT servers.

Regards,
Dave Corlew


-Original Message-
From: David A. Ranch [mailto:[EMAIL PROTECTED]]
Sent: Saturday, January 09, 1999 2:24 PM
To: Carl Engstrom; [EMAIL PROTECTED]
Subject: Re: [masq] IP Masq - FTP problems



1)  My friend has an ftp site that for some reason I can't get data
transers
from .  I can log in to the site just fine, but when The site sends me a
directory list, I get a 
  
425 can't build data connection:  No route to host
can't initiate data transfer.
 
I can connect to every other site that I've tried.  The site I'm connecting
to
is not at PORT 21 it's at PORT 2001 and he's running glftpd not the
standard
ftpd from red hat.

Ahhh.. check.  You either need to do FTPs with the PASV mode or
you need to load the ip_masq_ftp module with:

/sbin/insmod ip_masq_ftp ports=21,2001

This is what the /usr/src/linux/net/ipv4/ip_masq_ftp.c source code says:

--
 * Multiple Port Support
 *  The helper can be made to handle up to MAX_MASQ_APP_PORTS (normally
12)
 *  with the port numbers being defined at module load time.  The module
 *  uses the symbol "ports" to define a list of monitored ports, which
can
 *  be specified on the insmod command line as
 *  ports=x1,x2,x3...
 *  where x[n] are integer port numbers.  This option can be put into
 *  /etc/conf.modules (or /etc/modules.conf depending on your config)
 *  where modload will pick it up should you use modload to load your
 *  modules.
 *
 */
--


2) I can't connect directly with ICQ.  I can send messages through the
server,
but I can't chat or send a direct message.

Did you properly configure ICQ for:

- non-socks firewall
- limit ports to 2000-2020

Did you change the IPFWADM UDP timeout to 8 minutes?

Did you setup IPPORTFW and forward ports 2000-2020 to your
MASQed ICQ machine?


Anyway, the TrinityOS doc (updated yesterday and today), have all
these settings documented.  Just check out:

11 - Patching, Compiling, and installing IPPORTFW

10 - MASQ startup and advanced firewall rulesets for single and
multi-NIC
setups

--David
.---
-.
|  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]
|
!
!
`- For more detailed info, see http://www.ecst.csuchico.edu/~dranch
-'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] IP Masq - FTP problems

[Fred Viles]

On 10 Jan 99, at 10:15, Carl Petersen wrote about
"Re:  [masq] IP Masq - FTP problems":

| Hi,
| I have a new ipmasq setup running just great after I set the mtu on the
| ppp0 interface to 1500. Using Win98, linux, WinNT 5.0and BeOS as
| clients.
| 
| Could someone shed some light on the FTP issue? I seem to have the
| same issue Mr. Engstrom wrote about except the ftp server I'm connecting
| to is on port 21. Some ftp clients hang when attempting a file list and
| others succeed?

Are you talking about outside clients connecting to a masqueraded 
server?  If so, clients using PASV mode (i.e. most web browsers) 
won't work.

- Fred Viles mailto:[EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] IP Masq - FTP problems

[David A. Ranch]

AFAIK this 2000-2020 stuff is not necessary, nor are changing the IPFWADM
UDP timeouts.  I'm running a 2.0.36 masq right now with the default UDP
timeout and no special forwarding for ICQ, and have two hosts behind it
running ICQ with no problems.  I did configure for a non-socks firewall,
however, and set the firewall timeout to ~1 minute.

Unless you setup IPPORTFW, ICQ Chat won't work though messaging will.

Regarding the changing the of the UDP timeouts, you are right though I
found this option in ICQ later.  If DO need to change the UDP timeout if
you don't change ICQ's firewall timeout.

--David
..
|  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]  |
!!
`- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] IP Masq - FTP problems

[Carl Engstrom]

I've got my IP masq working about 85%, but I 
still have two nagging problems.

First, let me say. I have all of the 
IP_MASQ_X modules loaded and compiled into the kernel.

1) My friend has an ftp site that for some 
reason I can't get data transers from . I can log in to the site just 
fine, but when The site sends me a directory list, I get a 

425 can't build data connection: No route 
to host
can't initiate data transfer.

I can connect to every other site that I've 
tried. The site I'm connecting to is not at PORT 21 it's at PORT 2001 and 
he's running glftpd not the standard ftpd from red hat.

2) I can't connect directly with ICQ. I 
can send messages through the server, but I can't chat or send a direct 
message.

BACKGROUND:

I'm 1 month into Linux/Unix. I'm running 
Red Hat 5.2 and I have the following RC.LOCAL file:

path=/sbin:/bin:/etc:

echo ip_masq 192.168.100.1echo 1 
 /proc/sys/net/ipv4/ip_forward

/sbin/insmod 3c509.o/sbin/insmod 3c59x.o

/sbin/modprobe 3c509

/sbin/depmod -a/sbin/modprobe 
ip_masq_ftp/sbin/modprobe ip_masq_raudio/sbin/modprobe 
ip_masq_irc#/sbin/ifconfig -a eth1 192.168.100.10/24 -D 
0.0.0.0/0#/sbin/route add -net 24.1.168.74


I've read the Man Pages and 
the How-to files. I even went through the TrinityOS paper (A little over 
my head)

Any help would be appreciated.

Thanks

Carl Engstrom

Re: [masq] IP Masq - FTP problems

[David A. Ranch]

1)  My friend has an ftp site that for some reason I can't get data transers
from .  I can log in to the site just fine, but when The site sends me a
directory list, I get a 
  
425 can't build data connection:  No route to host
can't initiate data transfer.
 
I can connect to every other site that I've tried.  The site I'm connecting to
is not at PORT 21 it's at PORT 2001 and he's running glftpd not the standard
ftpd from red hat.

Ahhh.. check.  You either need to do FTPs with the PASV mode or
you need to load the ip_masq_ftp module with:

/sbin/insmod ip_masq_ftp ports=21,2001

This is what the /usr/src/linux/net/ipv4/ip_masq_ftp.c source code says:

--
 * Multiple Port Support
 *  The helper can be made to handle up to MAX_MASQ_APP_PORTS (normally 12)
 *  with the port numbers being defined at module load time.  The module
 *  uses the symbol "ports" to define a list of monitored ports, which can
 *  be specified on the insmod command line as
 *  ports=x1,x2,x3...
 *  where x[n] are integer port numbers.  This option can be put into
 *  /etc/conf.modules (or /etc/modules.conf depending on your config)
 *  where modload will pick it up should you use modload to load your
 *  modules.
 *
 */
--


2) I can't connect directly with ICQ.  I can send messages through the server,
but I can't chat or send a direct message.

Did you properly configure ICQ for:

- non-socks firewall
- limit ports to 2000-2020

Did you change the IPFWADM UDP timeout to 8 minutes?

Did you setup IPPORTFW and forward ports 2000-2020 to your
MASQed ICQ machine?


Anyway, the TrinityOS doc (updated yesterday and today), have all
these settings documented.  Just check out:

11 - Patching, Compiling, and installing IPPORTFW

10 - MASQ startup and advanced firewall rulesets for single and multi-NIC
setups

--David
..
|  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]  |
!!
`- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FW: masq FTP help!

[Corlew, David (GEIS)]

Thanks for your response! I'm pretty sure I've configured for the 
ftp module to be masqing, because I use ftp quite a bit and it 
works fine except for this instance. I think it has to do with
the way masquerade entries are made in the masq table when 
ftp is connecting to a non-default port (not 21) and setting up for
de-masq. 

For ftp i'm using: "ip_masq_ftp ports=21,12345"
and of course from the WIN95 box ftpOPEN xxx.xxx.xxx.xxx 12345

The PORT statement is getting manipulated on the linux -
example: PORT 10.0.1.1.5.142 is changed to
 PORT 204.90.180.84.239.71  (this what the ftp server receives)
and entries are made to masq tables on linux (I don't know specifically
if they are correct) but ..

ipfwadm -M -l shows:

prot expire   source destinationports
tcp  01:06:53 win95.domain   mainframe.com  1422 (61255) -- 0

and /proc/net/ip_masquerade shows:

Prc FromIP   FPrt  ToIP TPrt Masq
TCP 0A000102:058E  CX93AE0E: EF47  0  0  16218


My guess is that ip_masq_ftp somehow manages for default
ftp ports 20 and 21 but doesn't for non-default ports?
Maybe the ipportfw is the answer.

Any help would be greatly appreciated.

Dave Corlew



-Original Message-
From: Tim Fletcher [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 16, 1998 10:19 AM
To: Corlew, David (GEIS)
Cc: [EMAIL PROTECTED]
Subject: Re: [masq] FW: masq FTP help!


  My problem is with ftp! It works successfully using client on win95 box
to
  ftp server (control and data connections) using OPEN host.
  No problem. But I have a REAL need to open to a certain host server that
  is enabled to a specific non-default port. OPEN  pp
  The control connection works just fine. However, any PORT protocol
command
  for this type connection is not masq'd. so data connections can't reach
my
  win95 machine. Could anyone help with this one. 

It sounds like you haven't installed the ftp module for ip masqing

 Note: The server in question is proprietary and does not support PASV. I
 have also tried specifying the special port in the "ip_masq_ftp
ports=n"
 and did notice at least the server received a masqueraded port command (in
 the range 61000-61499) but could not make successful data connection back
to
 my client.

Try using ipportfw from ethier a 2.1.124+ kernel or a patch agaist 2.0.35,
I can't rember were I found the patch bu it works very well. I can use an
nfs server behind the firewall and other fun things. I can mail the patch
and the control progie src to you if you want.


  Tim Fletcher  .~.
/V\   L   I   N   U   X   
   [EMAIL PROTECTED]   // \\  Don't fear the penguin
[EMAIL PROTECTED]   /(   )\
   ^^-^^
Software, n.:   
Formal evening attire for female computer analysts.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FW: masq FTP help!

[Tim Fletcher]

  My problem is with ftp! It works successfully using client on win95 box to
  ftp server (control and data connections) using OPEN host.
  No problem. But I have a REAL need to open to a certain host server that
  is enabled to a specific non-default port. OPEN  pp
  The control connection works just fine. However, any PORT protocol command
  for this type connection is not masq'd. so data connections can't reach my
  win95 machine. Could anyone help with this one. 

It sounds like you haven't installed the ftp module for ip masqing

 Note: The server in question is proprietary and does not support PASV. I
 have also tried specifying the special port in the "ip_masq_ftp ports=n"
 and did notice at least the server received a masqueraded port command (in
 the range 61000-61499) but could not make successful data connection back to
 my client.

Try using ipportfw from ethier a 2.1.124+ kernel or a patch agaist 2.0.35,
I can't rember were I found the patch bu it works very well. I can use an
nfs server behind the firewall and other fun things. I can mail the patch
and the control progie src to you if you want.


  Tim Fletcher  .~.
/V\   L   I   N   U   X   
   [EMAIL PROTECTED]   // \\  Don't fear the penguin
[EMAIL PROTECTED]   /(   )\
   ^^-^^
Software, n.:   
Formal evening attire for female computer analysts.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] Masq/FTP/ipchains

[Clint Todish]

I posted a similar message recently to a Usenet group. Hopefully,
you guys will know better:

I got my Austin Roadrunner service up and running with Linux
(Redhat 5.1 + kernel 1.2.126) masquerading a RFC1918 network. 
Surprisingly, there is currently no need for the authorization 
process in my area - I suppose I'll need to watch out for this. 
There should be a temporary kludge to get it working by running
the authorization program on an internal NT box - we'll see. I 
plan on writing a Linux based process should the need arise.

My question to anyone with ipfw experience is this:

I would like to open inbound ftp-data sourced requests but only
to my masqueraded boxes (to prevent someone manually sourcing
the ftp-data port and breaking my firewall). The ftp masq module
should take care of any security problems, but since the ipfw stuff
is only based on 'real' IP's on the unsecured side, I can't seem to
do this. Am I right in assuming this is the case or is there a way
to match incoming requests on a 'post masquerade' basis? Essentially,
I'd like to do something like:

ipchains -A input -i eth0 -p TCP -y -s 0.0.0.0/0 ftp-data -d RFCNET/24 -j ACCEPT

where eth0 = RoadRunner connection and RFCNET = my 1918 internal network.

or for a step by step description:

1) packet comes in sourced with ftp-data port
2) input filter let's it through
3) masquerade either handles it or passes it though
4) ipfw blocks the packet if masq can't handle it.

hopefully, this makes some kind of sense.
thanks!
-C

oh! btw, does anyone have experience setting up GRE tunnels with 
Linux? I'd be very interested in hearing from you...
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP problems - no route to host

[Matthew McGehrin]

On 8 Aug 98, at 19:38, Ryan wrote:

 220 Exhilirate (glFtpD v1.9.5) ready.
 User (ftp.ml.org:(none)): Apollyon
 331 Password required for Apollyon.
 Password:
 230 User Apollyon logged in.
 ftp ls
 200 PORT command successful.
 425 Can't build data connection: No route to host.\

Which site are you ftping to? It would be helpfull if you included that in your report.

Also are you doing any port filters?

FTP is a two - port protocol, ports 20 and 21. Perhaps you are blocking one, and 
allowing the other?

Are you connecting via satellite or a cable modem that requires you to connect to a 
local isp and receive your internet access one way? perhaps there are routing 
problems.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] FTP problems - no route to host

[Ryan]

Hi, I personally love ip masquerade but I have 
one problem, FTP

When I ftp to some ftp sites I cannot get 
a dir listing or transfer files. I seem to get around this by using a passive 
host, but there is a BIG problem in this, its VERY unstable. Anyone got any 
ideas ?

220 Exhilirate (glFtpD v1.9.5) ready.User 
(ftp.ml.org:(none)): Apollyon331 Password required for 
Apollyon.Password:230 User Apollyon logged in.ftp ls200 PORT 
command successful.425 Can't build data connection: No route to 
host.

Re: [masq] FTP problems - no route to host

[Chris Johnson]

On Sat, Aug 08, 1998 at 07:38:45PM +1000, Ryan wrote:
 Hi, I personally love ip masquerade but I have one problem, FTP
 
 When I  ftp to some ftp sites I cannot get a dir listing or transfer files. I
 seem to get around this by using a passive host, but there is a BIG problem
 in this, its VERY unstable. Anyone got any ideas ?
 
 220 Exhilirate (glFtpD v1.9.5) ready.
 User (ftp.ml.org:(none)): Apollyon
 331 Password required for Apollyon.
 Password:
 230 User Apollyon logged in.
 ftp ls
 200 PORT command successful.
 425 Can't build data connection: No route to host.
 
You need to use the ip_masq_ftp module. Try "insomod ip_masq_ftp." And stick
the following in whatever startup file you use to set up you masquerading
rules:

depmod -a
modprobe ip_masq_ftp
modprobe ip_masq_irc
modprobe ip_masq_raudio
modprobe ip_masq_cuseeme
modprobe ip_masq_vdolive
modprobe ip_masq_quake

Chris Johnson
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP problems - no route to host

[Fuzzy Fox]

Ryan [EMAIL PROTECTED] wrote:

 220 Exhilirate (glFtpD v1.9.5) ready.
 User (ftp.ml.org:(none)): Apollyon
 331 Password required for Apollyon.
 Password:
 230 User Apollyon logged in.
 ftp ls
 200 PORT command successful.
 425 Can't build data connection: No route to host.

Turn on "debug" in your ftp session and you will probably see the
reason.  You are sending a PORT command with your private IP address,
and the remote ftpd can't route to that host directly.

The ip_masq_ftp module is supposed to take care of this, but you have to
load it manually.

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)  ||   "Her lips said 'No,' but her
sometimes known as David DeSimone  ||eyes said 'Read my lips!'"
  http://www.dallas.net/~fox/  ||
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] Ftp module for ip_masq

[Ian MacLeod]

Hi,

I'm having trouble ftp'ing from the computers hooked to my masq linux
box.  I heard i need a module for ftp'ing and so looked everywhere for
it.  If anyone knows where this is, and maybe some help on how to
install it, i would be so happy.

Thanx in advance,
Ian
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] Ftp module for ip_masq

[Dave]

Greetings.

Mine is in /lib/modules/2.0.33/ipv4 (the 2.0.33 bit stems from the fact that I am 
running kernel 2.0.33 - if you are running a different kernel this part of the path 
will be different) and the module for FTP is called ip_masq_ftp.o

To load it you should do something like this:

/sbin/modprobe ip_masq_ftp

I have placed this line in my /etc/rc.d/rc.modules so that this module is loaded each 
time my Linux box reboots.

To see which modules are loaded do this:

cat /proc/modules

Note that all these suggestions are based on Slackware 3.4 kernel 2.0.33, other 
distributions might store the files in slightly different directories, but it should 
be close.

hth

Dave

--
From:   Ian MacLeod[SMTP:[EMAIL PROTECTED]]
Sent:   Saturday, 27 June 1998 13:52
To: [EMAIL PROTECTED]
Subject:[masq] Ftp module for ip_masq

Hi,

I'm having trouble ftp'ing from the computers hooked to my masq linux
box.  I heard i need a module for ftp'ing and so looked everywhere for
it.  If anyone knows where this is, and maybe some help on how to
install it, i would be so happy.

Thanx in advance,
Ian
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] FTP server configuration

[Steve Cherry]

I would like to know how to configure the ftp 
server on a linux box for kernel 2.0.33. Also how to set up users for 
limited access to directories. Can this be done? Or do I have to run 
another program.

Steve

Re: [masq] [masq] ftp to WinNT fails

[Karsten Jeppesen]

I'd better be. It is our general firewall.
All other ftp accesses works well.
(Probably about a few hundred a day for about 2 years)
In short: Yes the ftp module is loaded.

Karsten

Are you sure you are loading the ip_masq_ftp module?

-Joe

Karsten Jeppesen wrote:

 Anybody has a clue to why a windows NT based ftpserver won't accept contact
 from within the masqueraded net ?

 The masq machine it self will be able to, but not a machine from within.

 Karsten

 --
 Dr. Karsten Jeppesen YARC Systems Corporation
 VP of Development(805) 499 9444
 Director of the Board

 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 For daily digest info, email [EMAIL PROTECTED]

--
Joachim Feise  Microsoft Certified Solution Developer
mailto:[EMAIL PROTECTED] http://www.ics.uci.edu/~jfeise/
mailto:[EMAIL PROTECTED]   mailto:[EMAIL PROTECTED]
-
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

--
Dr. Karsten Jeppesen YARC Systems Corporation
VP of Development(805) 499 9444
Director of the Board


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] ftp to WinNT fails

[Karsten Jeppesen]

Anybody has a clue to why a windows NT based ftpserver won't accept contact
from within the masqueraded net ?

The masq machine it self will be able to, but not a machine from within.

Karsten

--
Dr. Karsten Jeppesen YARC Systems Corporation
VP of Development(805) 499 9444
Director of the Board


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] ftp to WinNT fails

[Joachim Feise]

Are you sure you are loading the ip_masq_ftp module?

-Joe

Karsten Jeppesen wrote:
 
 Anybody has a clue to why a windows NT based ftpserver won't accept contact
 from within the masqueraded net ?
 
 The masq machine it self will be able to, but not a machine from within.
 
 Karsten
 
 --
 Dr. Karsten Jeppesen YARC Systems Corporation
 VP of Development(805) 499 9444
 Director of the Board
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 For daily digest info, email [EMAIL PROTECTED]

-- 
Joachim Feise  Microsoft Certified Solution Developer
mailto:[EMAIL PROTECTED] http://www.ics.uci.edu/~jfeise/
mailto:[EMAIL PROTECTED]   mailto:[EMAIL PROTECTED]
-
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] ftp and http into masq'd network

[John J Boland]

howdy,

no response to my requst from last week, so i'll rephrase the question!

i've setup masqing on a linux (redhat 2.0.33) server and i am able to 
get out to the rest of the universe from my private lan.  i can telnet,
ftp, get news, and surf.  basically that part works like a champ.  
now, i'm at the next part of the saga.  i would like to setup a web server
(on NT, yeah i know...) behind the linux firewall and have the nt
web server visible to the internet.  i also need ftp access into the nt
box to update web pages.  i've have read the man pages and the how-to's
for ipfwadm and ipautofw, but i can't understand how to setup the rules
to get ftp and http request into the nt box.

to make the process easier(!), i've setup an ftp server on my windoze box
to start the process (it boots a little faster than nt).  i hope that
someone else has done this already and can send me their ipfwadm and
ipautofw rules! or at least point me to the right place(s) to get this
information.

thanks!!!
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] FTP broken

[Bill Eldridge]

if [ -f /sbin/depmod ]; then
   /sbin/depmod -a
fi
if [ -f /sbin/modprobe ]; then
   /sbin/modprobe ip_masq_ftp
   /sbin/modprobe ip_masq_raudio
fi
 
--
Bill Eldridge
Radio Free Asia
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED] [EMAIL PROTECTED]
To: [EMAIL PROTECTED] [EMAIL PROTECTED]
Date: Tuesday, May 26, 1998 6:03 PM
Subject: [masq] FTP broken


Hello,

I am not sure what happened or when.  I set up IP Masquerade on a Linux
Box (slakware 2.0.30) and had telnet, FTP and HTTP working from a number
of machines behind the linux machine.  For some reason, outgoing FTP does
not work anymore.  To make matters worse, I am so new to linux, that I
don't know where to start looking.  I have set up a minimum system and did
not intentionally filter any packets when set things up.

After setting up eth0  eth1, I set up for masqurade with:

  echo "1" /proc/sys/net/ipv4/ip_forward
  ipfwadm -F -a m -S 192.168.200.0/24 -D 0.0.0.0/0

Here is a typical attempt to use FTP from my internal system to a system
elseware on the internet.  If I use a dialup connection from the same
machine I have no problems.
--
Name (brentwoodlake): brentwoodlake
331 Password required for brentwoodlake
Password: .
230 User brentwoodlake logged in.  Access restrictions apply.  ftp ls
500 Illegal PORT Command
ftp ls
500 Illegal PORT Command
ftp cd ..
250 CWD command successful.
ftp ls
500 Illegal PORT Command
ftp


The login works, but after that I can't *do* anything.  Other systems
complain about the PORT argument being wrong.

Thanks in advance,
Mark Stamos



--  
---
[EMAIL PROTECTED]

PGP PUBLIC KEY:
 finger [EMAIL PROTECTED]
--

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP broken

[Bob Simpson]

For some reason, outgoing FTP does
not work anymore.

The login works, but after that I can't *do* anything.  Other systems
complain about the PORT argument being wrong.

I believe you need to load the ip_masq_ftp.o module (try *insmod
ip_masq_ftp*), or use PASV (passive) mode ftp.  You enter passive mode with
the command *quote pasv* after logging in.  Not all ftp clients support this
option correctly, so the best long term fix is to load the module designed to
fix this problem.

-Bob Simpson
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] FTP Server Behind Firewall PASV FTP ???

[Dave D. Hammond]

I am working on developing a firewall system for a client utilizing
RedHat 5.0 and IP Masquerading. I have pretty much got everything
working to my satisfaction with the exception of one thing.

I have a public FTP Server sitting behind the MASQ machine... I am using
a very minimal set of rules as a result of this problem. I like to start
simple and get everything working before I attempt to tighten things up.
Anyway, I am using ipportfw to bounce all incoming requests received on
port 21 by the MASQ machine to the FTP Server behind the firewall. This
works great with "standard" or "ported" FTP clients (i.e. CuteFTP,
WS_FTP, etc...). However, it does not work so great with PASV FTP
clients like the ones built into many of the standard Web browsers.

Here is my limited understanding of how PASV mode FTP works... I
understand that the incoming "command" channel still comes into the FTP
server on port 21 as with "standard" FTP requests... and I understand
that the server then picks a port 1023 and sends the port number back
to the client so that the client can open a second "data" channel to
that port on the FTP server. Initially I figured that all I had to do
was setup ipautofw on the MASQ machine to bounce all requests received
in that range (1023) to the FTP server behind the firewall... and as
you have probably guessed... it did not work.

Using a PASV mode FTP client I think I see why... the initial "command"
channel is opened no problem... and it would appear that the servers
reply with the port number is received by the client no problem... the
problem seems to be when the client tries to open the second "data"
channel with the FTP server it tries to open connect to the un-masqed IP
address of the FTP server located behind the firewall..

If anyone has a "work around" or suggestions I would appreciate it... I
am a bit stumped on this one since the IP address must be coming in to
the client as part of the FTP servers port response ???

Thanks,

Dave Hammond
Network Administrator - EZ-Net
[EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] Ftp server behind firewall?

[Hans E. Kristiansen]

I would like to propose a workaround ( I have the same challenge ).

Mount the NT / Win95 as smb shares, and make them available for ftp from the
Linux box.

Thanks,
Hans


 -Original Message-
 From: Mark [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, March 18, 1998 19:14
 To: [EMAIL PROTECTED]
 Subject: Re: [masq] Ftp server behind firewall?


 Well I can't give you the answer to your problem, but I do have a
 work-around.  I am in a similar situation but my NT box also boots to
 Linux.  Ftp works fine in NT using War FTPD, but when I boot to Linux I
get
 that bind error.  You can get War software at
 http://www.jgaa.com/downloadpage.htm .  I think it may have to do with the
 'Fool my brain dead ISP! (dont bind to port 20)' option, but I know little
 about this.  That's your best bet.  It's a great program too.

 As for me, I'd rather be in Linux more but I cant find a way around that
 bind problem.  If you hear anything, let me know please.  I have asked the
 same question here and got no respose.  Lets hope you do.


 At 12:26 AM 3/18/98 -0500, you wrote:
 
  I have a need for there to be a ftp server behind the firewall,
 I am assuming that it can be done.  I have used redir for port 21 and can
 connect to the server but when I try to get a listing or file it spits
 this at
 me:
 
 ftp ls
 500 Invalid PORT Command.
 ftp: bind: Address already in use
 ftp ls
 500 Invalid PORT Command.
 ftp dir
 500 Invalid PORT Command.
 
 I have tried using redir on port 20 and using udpred on 21 and 20 but
keep
 getting the same error messages, I have not yet tried ipautofw.
 The machine is a NT box with the microsoft ftp server; I don't think that
it
 makes a difference.
 
 --
 Andrew L. Davis  Network Operations
 [EMAIL PROTECTED]ViperLink International
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 For daily digest info, email [EMAIL PROTECTED]
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 For daily digest info, email [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] Ftp server behind firewall?

[Mark]

Well I can't give you the answer to your problem, but I do have a
work-around.  I am in a similar situation but my NT box also boots to
Linux.  Ftp works fine in NT using War FTPD, but when I boot to Linux I get
that bind error.  You can get War software at
http://www.jgaa.com/downloadpage.htm .  I think it may have to do with the
'Fool my brain dead ISP! (dont bind to port 20)' option, but I know little
about this.  That's your best bet.  It's a great program too.  

As for me, I'd rather be in Linux more but I cant find a way around that
bind problem.  If you hear anything, let me know please.  I have asked the
same question here and got no respose.  Lets hope you do.


At 12:26 AM 3/18/98 -0500, you wrote:

   I have a need for there to be a ftp server behind the firewall, 
I am assuming that it can be done.  I have used redir for port 21 and can 
connect to the server but when I try to get a listing or file it spits
this at 
me:  

ftp ls
500 Invalid PORT Command.
ftp: bind: Address already in use
ftp ls
500 Invalid PORT Command.
ftp dir
500 Invalid PORT Command.

I have tried using redir on port 20 and using udpred on 21 and 20 but keep
getting the same error messages, I have not yet tried ipautofw.
The machine is a NT box with the microsoft ftp server; I don't think that it 
makes a difference.

-- 
Andrew L. DavisNetwork Operations
[EMAIL PROTECTED]  ViperLink International
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]