Derek Evans <[EMAIL PROTECTED]> wrote:
>
> After adding the new FTP server on the firewall (ProFTPd), the
> internal FTP server still works perfectly, but the new one will not
> work with passive mode because the firewall blocks the incoming
> requests once the port has changed to an arbitrary port.
Actually, neither the ip_masq_ftp module nor masquerade itself have
anything to do with your problem of using an FTP server on the firewall
box. That's because none of it involves forwarding of packets; there is
no masquerade being done at all.
Instead, your problem is that your firewall is too restrictive. The ftp
server *will* choose an aribtrary port, and you will be expected to
allow the remote client to connect to any port in that range, in order
for the connection to succeed.
I myself have set up strong firewalling and I continue to find things
that it interferes with. I have come to the conclusion that packet
firewalls such as ipchains are fundamentally incompatible with tight
security requirements. You simply must loosen up your requirements in
order to get useful apps to run... Sigh.
Anyway, if you "cat /proc/sys/net/ipv4/ip_local_port_range", you will
see the range of ports that will be used for local socket connections
(on my system it's 1024-4999). You should at least allow incoming
connections in this range, because those are the ports that the ftp
server is likely to choose.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut
sometimes known as David DeSimone || butter quite like unrequited love."
http://www.dallas.net/~fox/ || -- Charlie Brown
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
http://tiffany.indyramp.com/mailman/listinfo/masq
Admin requests can be handled by web (above) or [EMAIL PROTECTED]
