Re: [masq] Probs with FTP
IP fw-fwd deny eth1 TCP ftp-client:1282 198.105.232.1:4284 L=44 S=0x00 I=33050 F=0x0040 T=127 What does your IPFWADM forward line look like? --David .. | David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] | !! `- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -' - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] Probs with FTP
Fuzzy Fox wrote: In normal port-mode FTP, the client asks the server to make a connection back to it, on a port chosen by the client, in some high-port range. In passive FTP, the client asks the server for a random port number that it should make a connection to, and then connects to that port on the server. Thanks a lot for the clarification. Your particular forward ruleset is too restrictive, and is denying the outbound connection that your masq'd client is trying to make. The client asked the server for a port, using the PASV command, and the server responded that the client should connect to it on port 4284 (randomly chosen). Your client then attempted that connection, and was denied by your masq firewall. In order for a PASV connection to succeed, you must allow outbound connections between any random ports 1024:65535 going from your client to a remote server. That's the point! I was trying to set up a firewall with pretty restrictive IP filtering and IP masquerading. But now it appears to me that passive FTP completely undermines my efforts. Is there a way to get around this problem, e.g. setting up a loose forward rule but more strict in and out rules? (I tried the other way round: loose rules for in and out but strict forward rules.) Gerd - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] Probs with FTP
Again, someone having problems with FTP: I'm a bit confused about what port mode and passive mode is. So here a description of my problems: Simple IP masquerading (e.g. HTTP) works fine. ip_masq_ftp module is loaded. FTP works fine if data is tranferred on a connection initiated by the remote site (from port 20). If the data connection is initiated by the masqueraded client the connection fails. /var/log/messages lists messages like this: IP fw-fwd deny eth1 TCP ftp-client:1282 198.105.232.1:4284 L=44 S=0x00 I=33050 F=0x0040 T=127 'ipfwadm -lMnex' shows: (slightly modified to fit into lines) prot expire source destinationports tcp 05:34.90ftp-client 198.105.232.1 0 (61470) - 4284 tcp 14:35.01ftp-client 198.105.232.1 1281 (61469) - 21 The underlying problems appears to be the faulty port mapping '0 (61470) - 4284' inserted by ip_masq_ftp. Any hints? Thanks in advance Gerd - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Probs with FTP
Gerd Foerster [EMAIL PROTECTED] wrote: I'm a bit confused about what port mode and passive mode is. In normal port-mode FTP, the client asks the server to make a connection back to it, on a port chosen by the client, in some high-port range. In passive FTP, the client asks the server for a random port number that it should make a connection to, and then connects to that port on the server. So you see, the difference in which end listens, and which end connects. They are reversed. FTP works fine if data is tranferred on a connection initiated by the remote site (from port 20). That is port-mode FTP. The server always uses 20 as its source port, and connects to the port on which the client is listening. Since the client is behind your masq firewall, your ip_masq_ftp module has modified the PORT command sent by the client, to contain the actual masqueraded port address. If the data connection is initiated by the masqueraded client the connection fails. Passive FTP. This is the mode that *should* work without any effort on your part. It is simply a masq client trying to connect to a remove server, just like any other TCP connection. ip_masq_ftp does not get involved. /var/log/messages lists messages like this: IP fw-fwd deny eth1 TCP ftp-client:1282 198.105.232.1:4284 L=44 S=0x00 I=33050 F=0x0040 T=127 Your particular forward ruleset is too restrictive, and is denying the outbound connection that your masq'd client is trying to make. The client asked the server for a port, using the PASV command, and the server responded that the client should connect to it on port 4284 (randomly chosen). Your client then attempted that connection, and was denied by your masq firewall. In order for a PASV connection to succeed, you must allow outbound connections between any random ports 1024:65535 going from your client to a remote server. -- [EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut sometimes known as David DeSimone || butter quite like unrequited love." http://www.dallas.net/~fox/ || -- Charlie Brown - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
