/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */
That sounds about right. I was able to circumvent this problem by doing the following: 1) My ftpd (pure-ftpd) has an option to select the IP address sent to the client when communicating via passive mode. 2) Specify a spefic range of ports that the server will select from for passive mode. 3) Manually forward those ports from the firewall to the ftp server. Now it works. It feels like a dirty hack, but until I can convert the firewall to a 2.4.x kernel & update the ipchains to iptables, this will have to do. Thank god for tcpdump. -Rob > I have the same problem still unresolved. > That's what I think that happen: > > The client contacts an ftp server with an IP that is NATed by the firewall > towards the real ftp server machine. In active ftp, the server responds to the > client that opens its local port 20 for the data connection. > In passive ftp, the server communicates the port which the client must use on > the server side for the data stream, but > #def I_think > this information includes the IP of the server. That IP is not NATed nor > masquerated by the firewall because it's contained in the data that the server > sends to the client, not in the header > #undef > > So the client receives an address that is the REAL address of the server and > the data connection could not be established. > > Please, correct me if the above is wrong. > > Bye, > Srg > > Robert Dege wrote: > > > > Well, I found out what the problem was. I did a client tcpdump on a > > specific passive port that I configured on the ftp server. > > > > The tcpdump showed that when the ftp client tried to reply with a > > passive ftp request, it was pointing to the internal IP address, instead > > of the firewall IP. > > > > I was able to get the pasv working (through some dirty hacks and > > portfw'ing). But does anyone know why the firewall was NOT masqing the > > address? > > > > -Rob > -- -Rob _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
