Hi On Wed, Jan 12, 2000 at 06:06:25PM +0100, Michael Abrahamsson wrote: [snip] > I've just opened some ports from/to the internal net (among > those are 21/ftp) but when I'm on a webpage and click a ftp > link like this one: > ftp://ftp.pc.ibm.com/pub/pccbbs/pc_servers/m525w32e.txt > nothing happens and it do time out. > When I check the kernel log I can see that the workstation > tried to connect to 204.146.167.81:18235 <-- Why the hell port > 18235 (the port are differnt from time to time..)
This is because of the way FTP works. (See below.) > It works with ftp://ftp.sunet.se etc but shouldn't ftp:// > always connect to the same port and is there a solution? FTP does not use just one connection for commands and data like HTTP does. With HTTP, the client connects to a port (normally 80) and sends a command (like GET / HTTP/1.0) and then gets the results back in the same connection. With FTP, it sends commands on one connection, and then opens another connection to download/upload the files etc. There are two ways of opening the second connection. One is called active mode and the other is called passive mode. With active mode, the client listens on a port and then tells the server what port it is listening on. The server then connects back to the client on the port that the client specified (normally from port 20.) With passive mode, the client tells the server it wants to use passive mode (by using the PASV command.) The server then listens on another port and tells the client the port number. The client makes another connection to the server on the specified port (not on port 21) and starts sending or receiving the file list/file etc. As far as I know, Internet Explorer and maybe Netscape use passive mode by default and most ftp clients like the command line clients and WS-FTP, CuteFTP etc. use active mode by default, but you can normally specify passive mode if you want to. Because of this, FTP is difficult to account for on a firewall. What you might want to look into is using an FTP proxy instead of just passing through traffic. The SuSE proxy suite has a nice looking FTP proxy that seems to work well. It is similar to the ftp-gw from the TIS firewall toolkit, except that it seems to be intended more for allowing clients on the Internet to connect to an internal FTP server, whereas the ftp-gw is for allowing internal users to connect to external FTP sites. With the SuSE ftp proxy (it works on other distributions, it was just developed by SuSE.) you run it on the firewall, and when someone connects to the firewall's FTP port, the proxy server makes a connection to the internal FTP server and relays stuff between the client and the real server. This should give you exactly what you want, without relying on IP_MASQ modules etc., which might have to guess timeouts for the connections and cause connections to be lost when downloading large files etc. hmmm... I've just re-read your message, and now it looks as if you want to allow internal users to access external FTP sites. If you want to do this, you can install a web proxy server (like Squid, but not necessarily Squid) and set your browser up to use it for FTP. This would allow you to download, but not upload files. To be able to download/upload files with a normal FTP client (i.e. not a web browser) you could use an FTP proxy, like the TIS fwtk ftp-gw or the SuSE ftp proxy. If you still want to do it with just opening ports, you will need to allow connections from your internal network on any high port to the internet on port 21. (It seems from your message that you have done this already.) You will also have to allow connections from the internal network on any high port to the internet on any port (the server specifies the port. You have no way of knowing what it is going to be.) You will then need to make sure your FTP clients all use Passive mode. (From your message above, it seems your browser is using Passive mode.) I hope this helps. :) -- Michael Wood | Tel: +27 21 762 0276 | http://www.kingsley.co.za/ [EMAIL PROTECTED] | Fax: +27 21 761 9930 | Kingsley Technologies
