Paul,
FTP is one of the handful of odd-ball protocols. When you connect to
another computer with FTP, you establish a connection on TCP port 21. That
connection is called the control channel. But when you issue a command such
as "ls" or "get", the other computer establishes a connection back to you on
the data channel -- TCP port 20. Since the other end computer sees the
connection coming from the outside of your firewall, the return data channel
connection comes to your firewall. But of course, the firewall itself isn't
doing any FTPing and just drops the connection.
What you need is something loaded on the firewall so that when it sees an
incoming FTP data channel connection, it checks its database of active
outgoing connections for a control channel to that same outside address. If
it finds one, it puts the data channel connection through to the originating
inside address.
There is already such a beast. Since there are a handful of protocols like
this one (FTP, IRQ, Quake, Cuseeme, Real Audio, VODlive), the Linux
community has written modules that take care of the problem. The only
problem Paul is I have never loaded that module and so am not completely
sure on how to load it.
The module can be found in the directory
/lib/modules/(kernel-version-number) and is called "ip_masq_ftp.o". I
believe its loaded with the command "/sbin/modprobe ip_masq_ftp" or if that
doesn't work, use the full path with "/sbin/modprobe
/lib/modules/2.2.5-15/ip_masq_ftp.o". Which ever way works, it should load
the FTP module for you and your FTP clients on your internal network should
work at that time.
The reason I haven't done it before is I took the easy way out. I had the
internal clients set their FTP to "passive" mode which uses the same
connection (TCP port 21) for both control and data. That way I didn't have
to load the FTP module on my firewall.
Either way - good luck Paul.
Chuck
Avoid the GATES of Hell --> Use Linux!
-----Original Message-----
From: Paul Tan [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 21, 2000 5:10 PM
To: [EMAIL PROTECTED]
Subject: FTP problem thru IPCHAINS
HI everyone,
I'm pretty new to IPCHAINS, ok i've setup a very basic
firewall which does MASQ for my workstations ,
#ipchains -A forward -s 192.168.128.0/24 -d 0/0 -j MASQ
everything going thru this connection is pretty much ok,
except for FTP,
i can connect to ftp.redhat.com <ftp://ftp.redhat.com> or ftp.webmin.com
<ftp://ftp.webmin.com> , but as soon as i do a "ls" , they say i have
issued an illegal command......
thks in advance...your experiences would be greatly
appreciated.
rgds,
Paul
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
