Hi Lonnie,
Thanks for the follow-up and going the extra mile. I tested a different installation from home this morning and it also worked as expected. There's clearly more to this story.
I'm hoping to gain access to the problematic unit sometime later this afternoon. This is starting to sound quite a bit like pilot error but I'll let you and the group know either way!
Dan
-----Original Message-----
From: "Lonnie Abelbeck" <li...@lonnie.abelbeck.com>
Sent: Friday, July 28, 2017 8:23am
To: "AstLinux Users Mailing List" <astlinux-users@lists.sourceforge.net>
Subject: Re: [Astlinux-users] Port Forwarding FTP
Hi Dan,
![]()
On Jul 28, 2017, at 5:32 AM, d...@ryson.org wrote:
In the lab, I just tested using the following firewall rule:
It worked as expected.
If it is possible to restrict the allowed source address (other than 0/0) that would be good.
Lonnie
On Jul 28, 2017, at 5:32 AM, d...@ryson.org wrote:
Hi Lonnie,
Thanks for the prompt reply and detailed insight. We'll circle back with feedback on our findings, as requested.
For what it's worth, we've had similar discussions with this client about reliance on FTP. They're slowly replacing it with secure protocols but progress is slow.
Dan
-----Original Message-----
From: "Lonnie Abelbeck" <li...@lonnie.abelbeck.com>
Sent: Thursday, July 27, 2017 9:27pm
To: "AstLinux Users Mailing List" <astlinux-users@lists.sourceforge.net>
Subject: Re: [Astlinux-users] Port Forwarding FTP
Hi Dan,
My first thought is *don't do that* :-) The FTP credentials are not encrypted, easily captured, etc. . Using FTP over a VPN (OpenVPN), or use SFTP (TCP 22) would be much better choices.
If you really, really must allow FTP inbound on the external interface when AstLinux is a NAT firewall you must use "NAT EXT->LAN" of TCP 21 to your internal FTP server. The Linux kernel will automatically apply the FTP helper to track the TCP 20 data channel, so only NAT-forward TCP 21 .
Be sure to remove any "Pass EXT->LAN" TCP 21 rules.
Note that "Pass EXT->LAN" is for non-NAT'ed situations when the networks are routed, not NAT'ed. For example with IPv6 you would use "Pass EXT->LAN". For NAT'ed situations with IPv4 use "NAT EXT->LAN".
Note that with "NAT EXT->LAN" you could make the public TCP port non-standard and forward to the standard TCP 21 internally. I've never tried this, as the FTP helper has to cooperate, so this may or may not work, also depends on the FTP client.
Let us know how it goes.
Lonnie
On Jul 27, 2017, at 7:44 PM, d...@ryson.org wrote:
> All,
>
> I just helped a friend reconfigure an AstLinux installation. Until today, it had been behind a NAT'd router/firewall. This afternoon, we added a NIC card and promoted AstLinux to replace the router/firewall.
>
> All the complicated bits worked fine. However, testing revealed that a simple port forwarding to an internal FTP server (port 21) isn't working. The FTP server is working from within the LAN but we can't access it from the Internet. We enabled EXT=>LAN using the web interface and we can see the rule in iptables but it doesn't seem to work.
>
> I'd appreciate any troubleshooting suggestions.
>
> Thanks,
>
> Dan
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
