/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
on 10/8/00 2:33 PM, David Ranch at [EMAIL PROTECTED] wrote:
>
>> But, I tested opening ALL ports by making the FTP server a DMZ host (meaning
>> all ports were forwarded to it from the router) and passive connections
>> still wouldn't work (actually they could connect, but an 'ls' command failed
>> with 'network unreachable'). Passive connections work fine if I take out the
>> router.
>
> Though in theory this should work, it will screw up the MASQ server.
> Realistically, if you want to do stuff like this, you should get
> another IP from your ISP and run 1:1 NAT and not 1:Many NAT.
>
>
Actually we have a 14-address subnet from the ISP. I said in the 1st part of
my post that we're using a hardware router (or maybe I wasn't clear on that;
we've tried 2 hardware routers a Macsense and a Linksys with the same
results). Is it possible to do 1:1 with it? We still need 1:many for the
rest of the network; would we need a 2nd router after the server?
>> I've heard it's pretty dangerous to open up SMB ports to the world. For our
>> Mac clients we may consider opening afpovertcp with DHX encryption.
>
> FTP is the most efficient but is insecure (clear text passwords)
> SMB is pretty decent but is also insecure
> NFS is getting better on Linux but is VERY insecure
>
>
>> Can anyone give advice how to solve the passive FTP problem or suggest an
>> alternative method of file xfer. SSH and SCP are out; installation, setup,
>> and use are just too complicated for non-computer people.
>
> You do realize there are SFTP clients. Right?
Actually, I didn't. Do SFTP clients not have the passive connection problem?
>
> Anyway.. if you have followed the IPMASQ list in the last week or so,
> I posted a new ALPHA ip_masq_ftp module that supports PORTFW'ed FTP.
> There were a few issues with it and a few users wanted the ability to
> add/remove additional non-standard PORFWed FTP ports w/o having to
> break all existing connections to reload the ip_masq_ftp module. So,
> Juan has come up with a new module that uses the IPCHAINS MFW
> mechanism to support PORTFWed FTP and to also make changes on the fly.
>
I tried setting the server up as a MASQ machine but still couldn't get
passive ftp connections through. I gave up on it because I was having a
separate problem -- the 2nd NIC I installed (Netgear FA310TX, tulip chip)
and connected to a full-duplex 100BT switch would run for a few days and
then would lose its connection to the network. I could ping the NICs address
but it wouldn't ping the network. If I rebooted it came back up again. Could
be a kernel problem. For test purposes I connected it again to a 10BT hub
and it hasn't lost connection.
If I can get the NIC working I'll try again with masqing (although I won't
need port forwarding as the FTP server is on the masq machine).
> I'll post these files in a separate email to you and the MASQ list.
> Give it a try and let me know how it works for you.
>
> --David
Got this explanation from someone on the Netatalk list (I shotgunned this
message to a bunch of lists; desparate for a solution =+|)
> FTP in active mode doesn't work when the client is behind a NAT firewall
> because it is _supposed_ to tell the server what IP and port to connect to
> in order to deliver a file. When you're behind NAT, you don't know what
> IP the server should connect to, and the transfer (even
> "ls") fails. Thus, PASV was born to fix the problem, because the server
> will always know the correct IP for a connection, right? NO.
>
> PASV ftp won't work behind a NAT firewall, like your routing DSL modem,
> for exactly the same reason that PORT (active FTP) doesn't work for
> clients behind NAT. You can open up all of your ports and it still won't
> work, because the server is going to tell the clients to connect to the
> wrong IP. In the case that your FTP server is behind a NAT firewall, you
> have to use PORT ftp.
>
> Guess what happens when the client and server are both behind a NAT
> firewall?
>
> There is a solution to the problem, though. You can hack the FTP server
> to accept it's IP as a command line argument, rather than discovering the
> IP itself. Then, you'd have to use SNMP (or something) to determine the
> public IP that your DSL router has, and pass it as a command line argument
> to the FTP server when it's started up. I thought about doing that a
> while back, but never got around to it.
Anyone ever done this?
--
Randy Perry
rgp systems
Mac Consulting/Sales
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
