[masq] FW: [masq] FTP and other services

[Brian R Tuley]

I've got the ip_masq_ftp module loaded (in kernel 2.0.34) and have no 
problems FTPing as a client behind the the masq box, or connecting to the 
FTP service running on the masq'ed box from either side...  As long as the 
the username making the connection has an account on the linux box.

-brian
[EMAIL PROTECTED]

-Original Message-
From:   Fred Viles [SMTP:[EMAIL PROTECTED]]
Sent:   Friday, February 05, 1999 4:22 PM
To: [EMAIL PROTECTED]; David Dionne
Subject:Re:  [masq] FTP and other services

On 5 Feb 99, at 14:22, David Dionne wrote about
    "[masq] FTP and other services":

| Hey, I am running masq at home with a 192.168.1.0/24 network.  Everything
| seems to be working fine but ftp.  I seem to remember hearing something
| about ftp and mabey some other services that are affected as well.  Does
| anyone have any suggestions?

If you are talking about an ftp client running on a masqueraded
machine, talking to an external server, only passive mode will work
unless you load the ip_masq_ftp FTP masq module.

If you are talking about running an FTP server on a masqueraded
machine, you need to use port-forwarding (the IPPORTFW patch for
2.0.x kernels) to forward incoming connections correctly.  That will
enable external clients using non-passive mode to work.  But PASV
mode will not work for the external clients.  To support external
PASV mode clients, further patches to the kernel and the ip_masq_ftp
module are required.

- Fred Viles <mailto:[EMAIL PROTECTED]>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP and other services

[Fred Viles]

On 5 Feb 99, at 14:22, David Dionne wrote about
"[masq] FTP and other services":

| Hey, I am running masq at home with a 192.168.1.0/24 network.  Everything
| seems to be working fine but ftp.  I seem to remember hearing something
| about ftp and mabey some other services that are affected as well.  Does
| anyone have any suggestions?

If you are talking about an ftp client running on a masqueraded 
machine, talking to an external server, only passive mode will work 
unless you load the ip_masq_ftp FTP masq module.  

If you are talking about running an FTP server on a masqueraded 
machine, you need to use port-forwarding (the IPPORTFW patch for 
2.0.x kernels) to forward incoming connections correctly.  That will 
enable external clients using non-passive mode to work.  But PASV 
mode will not work for the external clients.  To support external 
PASV mode clients, further patches to the kernel and the ip_masq_ftp 
module are required.

- Fred Viles <mailto:[EMAIL PROTECTED]>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] FTP and other services

[David Dionne]

Hey, I am running masq at home with a 192.168.1.0/24 network.  Everything
seems to be working fine but ftp.  I seem to remember hearing something
about ftp and mabey some other services that are affected as well.  Does
anyone have any suggestions?

Thanks

David Dionne

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP

[Andrew Kerr]

Actually, there is no point in using samba, what you really want is
smbmount.  smbmount works just like mount does, you give it a server name
and then a mount point (/home/ftp/nt_box maybe?), and a login and password
if need be.  You'll need to recompile your kernel to include support for
this, but the smbmount program should be on your system already, if it isn't
I'm not sure where to get it but I'm sure that it is around somewhere, just
search or look in ftp.cdrom.com.

For the port forwarding stuff, which is what you really should do, you just
need to get ipportfw and run something like this:

/usr/local/sbin/ipportfw -C
/usr/local/sbin/ipportfw -A -t/2000 -R /21

This would make it so that if you ftp to your masq box at port 2000 it will
forward the request on to your ftp server on your NT box on the default port
of 21.  You could set the port on your masq box to port 21 and get rid of
the ftpd from your /etc/inetd.conf.  I *think* that this is correct, I
actually use ipautofw which people keep saying not to use but I'm too lazy
to change anything if its working.  You can type "ipportfw -L" to list the
rules... its pretty straight forward.

If you want to serve a whole bunch of files that are going to stay the
same, you'd probably be best ftping them to your linux box and using the
linux ftp server, depending on the speed and ram of your masq box, but this
way you wouldn't have to keep the IIS ftp server running on your NT box
which is probably a good thing.  If you want to give access to your NT hard
drive via ftp then the map is the best way, or if your linux box is just too
slow or doesn't have enough space.  smbmount is the coolest, but probably
not all that great for ftp serving.

-Andrew Kerr

---
Andrew Kerr
mailto:[EMAIL PROTECTED]
http://www.umich.edu/~akerr

School of Natural Resources and the Environment
Electrical Engineering and Computer Science
University of Michigan
---

> -Original Message-
> From: Mark W. Jeanmougin [mailto:[EMAIL PROTECTED]]
> Sent: Friday, February 05, 1999 12:31 AM
> To: Jon Oransky
> Cc: [EMAIL PROTECTED]
> Subject: Re: [masq] FTP
>
>
> On Thu, 4 Feb 1999, Jon Oransky wrote:
> > Ok, I have IP Masq set up on my linux machine, I also have 2 other
> > computers, one w/ NT the other w/ 95.  What is the best way to set up an
> > FTP site on my NT machine w/ IP Masq.  Some people have told me
> to just run
> > SAMBA and map the files from the ftp site onto my NT machines
> drive.  Would
> > this be the ideal way of doing it? or should I use ipautofw to
> forward all
> > incoming to port 21 to my NT machine?  If ipautofw is a good
> solution, what
> > do I need to do exactly to set this up?
>
> I'm not sayting that it's the "best" way as you put it, but the way I did
> it for my machine was to use samba, and just map things into my /home/ftp
> directory.
>
> Good luck, and keep us posted,
>
> MarkJ
>
>
> ``We can't be so fixated on our desire to preserve the rights
> of ordinary Americans ...'' -- Bill Clinton (USA TODAY,
> 11 March 1993, page 2A)
>
> My main goal has always been to be in the position that I'm not
> ashamed of what I've done or am doing, and that I'm doing the
> best I can. -- Linus Torvalds
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> For daily digest info, email [EMAIL PROTECTED]
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP

[Mark W. Jeanmougin]

On Thu, 4 Feb 1999, Jon Oransky wrote:
> Ok, I have IP Masq set up on my linux machine, I also have 2 other
> computers, one w/ NT the other w/ 95.  What is the best way to set up an
> FTP site on my NT machine w/ IP Masq.  Some people have told me to just run
> SAMBA and map the files from the ftp site onto my NT machines drive.  Would
> this be the ideal way of doing it? or should I use ipautofw to forward all
> incoming to port 21 to my NT machine?  If ipautofw is a good solution, what
> do I need to do exactly to set this up?

I'm not sayting that it's the "best" way as you put it, but the way I did
it for my machine was to use samba, and just map things into my /home/ftp
directory.

Good luck, and keep us posted,

MarkJ


``We can't be so fixated on our desire to preserve the rights
of ordinary Americans ...'' -- Bill Clinton (USA TODAY,
11 March 1993, page 2A)

My main goal has always been to be in the position that I'm not
ashamed of what I've done or am doing, and that I'm doing the
best I can. -- Linus Torvalds

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] FTP

[Jon Oransky]

Ok, I have IP Masq set up on my linux machine, I also have 2 other
computers, one w/ NT the other w/ 95.  What is the best way to set up an
FTP site on my NT machine w/ IP Masq.  Some people have told me to just run
SAMBA and map the files from the ftp site onto my NT machines drive.  Would
this be the ideal way of doing it? or should I use ipautofw to forward all
incoming to port 21 to my NT machine?  If ipautofw is a good solution, what
do I need to do exactly to set this up?

- Jon
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] FTP and firewalls

[Clifford Hammerschmidt]

At 10:14 PM 1/28/99 -0600, Fuzzy Fox wrote:
>Clifford Hammerschmidt <[EMAIL PROTECTED]> wrote:
>>
>> >ipchains -A input -j ACCEPT -y -p tcp -s 0.0.0.0/0 20 -d yourip 1024:65535
>> 
>> This is also the same an -P input ACCEPT...  your allowing anyone to
>> connect from their port 20 (easy enough to spoof) to your box on any
>> port above 1023...  not a great idea.
>
>I think he later changed it to encompass only the masq range, 61000-
>65535, but still, the point is valid.  Even with the looser ruleset,
>though, few important services are above the 1024 port range.  The only
>ones that comes to mind are NFS and X, both of which can be specifically
>blocked.  I wouldn't worry so much.
>
>> Someone using NMap could scan all your upper ports easily.
>
>And what would they find there?

Any backdoor or Trojan installed on your system by tampered code or
previous hacks.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP and firewalls

[Fuzzy Fox]

Clifford Hammerschmidt <[EMAIL PROTECTED]> wrote:
>
> >ipchains -A input -j ACCEPT -y -p tcp -s 0.0.0.0/0 20 -d yourip 1024:65535
> 
> This is also the same an -P input ACCEPT...  your allowing anyone to
> connect from their port 20 (easy enough to spoof) to your box on any
> port above 1023...  not a great idea.

I think he later changed it to encompass only the masq range, 61000-
65535, but still, the point is valid.  Even with the looser ruleset,
though, few important services are above the 1024 port range.  The only
ones that comes to mind are NFS and X, both of which can be specifically
blocked.  I wouldn't worry so much.

> Someone using NMap could scan all your upper ports easily.

And what would they find there?

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)  || "Nothing takes the taste out of peanut
sometimes known as David DeSimone  ||  butter quite like unrequited love."
  http://www.dallas.net/~fox/  ||   -- Charlie Brown
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] FTP and firewalls

[Fred Viles]

On 28 Jan 99, at 22:28, Tim Fletcher wrote about
"Re:  [masq] FTP and firewalls":

| > But this chnage won't help a masqueraded client, because there is no 
| > way to get the packet forwarded to the internal IP.  So you seem to 
| > be talking about running the FTP client on the masquerading box 
| > itself?  If so, masqerading doesn't enter into it.
| 
| Oh it does
| 
| I run on the ipmasqed firewall: 

The firewall machine is not masqed, it is the masqER.

| /sbin/ipchains -D input -j ACCEPT  -p tcp -y -s 0.0.0.0/0 20 -d myip 6:65535
| and then I can ls a dir on sunsite 

Running ftp client on some machine whose IP is *not* "myip"?  
Assuming so...

| I then run:
| /sbin/ipchains -I input -j ACCEPT  -p tcp -y -s 0.0.0.0/0 20 -d myip 6:65535
| and I can't ls a dir on sunsite 
|...

Well, of course for masquerading to work at all, the firewall must 
accept incoming packets for (at least) the range of ports used by 
masqerading.  If replies to masqueraded outgoing packets are not 
accepted, they can't be demasqueraded/forwarded.

Since merely adding this accept rule allows ftp PORT commands to 
work, you must be running the ip_masq_ftp module.  But the fact that 
you *need* to add it is surprising.  I would have thought some other 
less specific input rule would have accepted these packets.

|...

- Fred Viles <mailto:[EMAIL PROTECTED]>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] [masq] [masq] FTP and firewalls

[Clifford Hammerschmidt]

At 10:39 PM 1/28/99 +, Tim Fletcher wrote:
>> I run on the ipmasqed firewall: 
>> /sbin/ipchains -D input -j ACCEPT  -p tcp -y -s 0.0.0.0/0 20 -d myip
6:65535
>> and then I can't ls a dir on sunsite 
>   ^^
>Sorry bad typing day  :)
>

I believe he was referring to the machine doing the masq'ing, not the
client's being masq'd...

if you use:

LOCALIP=`ifconfig eth0 | awk '/inet addr/ {print substr($2,6)}'`
ALL="0.0.0.0/0"
LAN=192.168.1.0/24

/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -j MASQ -s $LAN -d $ALL
/sbin/ipchains -M -S 7200 10 7200
/sbin/ipchains -A input -p ICMP -s $ALL -d $LOCALIP -j ACCEPT
/sbin/ipchains -A input -i lo -j ACCEPT
/sbin/ipchains -A input -p TCP \! -y -d $ALL 1024: -j ACCEPT

you have to use Passive transfers for the firewall box. Allowing port 20 to
connect to ports above 65000 won't work for the firewall box, but will for
everyone behind it, since the port command will always be going to 65000+
for MASQ'd clients. Of course this would also allow someone to run a
backdoor on ports above 65000 on your firewall box...
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] [masq] FTP and firewalls

[Tim Fletcher]

> I run on the ipmasqed firewall: 
> /sbin/ipchains -D input -j ACCEPT  -p tcp -y -s 0.0.0.0/0 20 -d myip 6:65535
> and then I can't ls a dir on sunsite 
^^
Sorry bad typing day  :)

  Tim Fletcher  .~.
/V\   L   I   N   U   X   
   [EMAIL PROTECTED]   // \\  >Don't fear the penguin<
  /(   )\
   ^^-^^

Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum
immane mittam (For non-latiners: "I have a catapult. Give me all the
money, or I will fling an enormous rock at your head.")

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] FTP and firewalls

[Tim Fletcher]

> But this chnage won't help a masqueraded client, because there is no 
> way to get the packet forwarded to the internal IP.  So you seem to 
> be talking about running the FTP client on the masquerading box 
> itself?  If so, masqerading doesn't enter into it.

Oh it does

I run on the ipmasqed firewall: 
/sbin/ipchains -D input -j ACCEPT  -p tcp -y -s 0.0.0.0/0 20 -d myip 6:65535
and then I can ls a dir on sunsite 

I then run:
/sbin/ipchains -I input -j ACCEPT  -p tcp -y -s 0.0.0.0/0 20 -d myip 6:65535
and I can

and I can now if I am missing something please tell me but this works for
me.

  Tim Fletcher  .~.
/V\   L   I   N   U   X   
   [EMAIL PROTECTED]   // \\  >Don't fear the penguin<
[EMAIL PROTECTED]   /(   )\
   ^^-^^
Slowly and surely the unix crept up on the Nintendo user ...

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP and firewalls

[Fred Viles]

On 28 Jan 99, at 14:26, Tim Fletcher wrote about
"[masq] FTP and firewalls":

|   Following all the recent traffic on this list and others about
| ftp and ip masqing I wondered why I could ftp _with_ port prefectly.
| Anyhow I upgraded my kernel to 2.2.0 (from 2.0.36) and learnt ipchains
| over the last few days. 

Running the ip_masq_ftp module allows PORT commands from masqueraded 
clients to work fine.  But...

|...
|   A little thinking and a little bit of tail -f /var/log/messages I
| see connections from the ftp server form port 20 being denied ah, I have
| found the problem. Add this rule to your rule set and port based ftp will 
| work:
| 
| ipchains -A input -j ACCEPT -y -p tcp -s 0.0.0.0/0 20 -d yourip 1024:65535
| or
| ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 20 -D yourip 1024:65535
| (no warrenty on this one I don't know ipfwadm very well)

But this chnage won't help a masqueraded client, because there is no 
way to get the packet forwarded to the internal IP.  So you seem to 
be talking about running the FTP client on the masquerading box 
itself?  If so, masqerading doesn't enter into it.

- Fred Viles <mailto:[EMAIL PROTECTED]>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP and firewalls

[Tim Fletcher]

> >ipchains -A input -j ACCEPT -y -p tcp -s 0.0.0.0/0 20 -d yourip 1024:65535
> 
> um, why bother running the firewall then? This is also the same an -P input
> ACCEPT... your allowing anyone to connect from their port 20 (easy enough
> to spoof) to your box on any port above 1023... not a great idea. Someone
> using NMap could scan all your upper ports easily.
> 
> Is it that hard to type PASSIVE?

oops daft error I ment to say ports over 6 (ie masq'd connections) and
I also run abacus sentry which _should_ stop the scans.

  Tim Fletcher  .~.
/V\   L   I   N   U   X   
   [EMAIL PROTECTED]   // \\  >Don't fear the penguin<
  /(   )\
   ^^-^^

Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum
immane mittam (For non-latiners: "I have a catapult. Give me all the
money, or I will fling an enormous rock at your head.")

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP and firewalls

[Clifford Hammerschmidt]

>
>ipchains -A input -j ACCEPT -y -p tcp -s 0.0.0.0/0 20 -d yourip 1024:65535

um, why bother running the firewall then? This is also the same an -P input
ACCEPT... your allowing anyone to connect from their port 20 (easy enough
to spoof) to your box on any port above 1023... not a great idea. Someone
using NMap could scan all your upper ports easily.

Is it that hard to type PASSIVE?

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] FTP and firewalls

[Tim Fletcher]

Following all the recent traffic on this list and others about
ftp and ip masqing I wondered why I could ftp _with_ port prefectly.
Anyhow I upgraded my kernel to 2.2.0 (from 2.0.36) and learnt ipchains
over the last few days. 

Following the upgrade I can't ftp, and before you all mail me and
say the I have to use PASV mode, I know. But I don't I have found the
problem :). Before the upgrade I was inside another firewall hence little
need for security so I had input / output default to accept.

Now I am still inside the same firewall but I desided to play with
security a little so ported most of the TrinityOS firewall rules over to
ipchains, hence input / output are now deny. I can't ftp with port mode,
humm interesting. 

A little thinking and a little bit of tail -f /var/log/messages I
see connections from the ftp server form port 20 being denied ah, I have
found the problem. Add this rule to your rule set and port based ftp will 
work:

ipchains -A input -j ACCEPT -y -p tcp -s 0.0.0.0/0 20 -d yourip 1024:65535
or
ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 20 -D yourip 1024:65535
(no warrenty on this one I don't know ipfwadm very well)


  Tim Fletcher  .~.
/V\   L   I   N   U   X   
   [EMAIL PROTECTED]   // \\  >Don't fear the penguin<
[EMAIL PROTECTED]   /(   )\
   ^^-^^
Slowly and surely the unix crept up on the Nintendo user ...

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] FTP timeout?

[mumford]

> At 10:02 PM 1/16/99 -0800, Fred Viles wrote:
> >On 16 Jan 99, at 15:21, Charles Curley wrote about
> >"[masq] FTP timeout?":
> >
> >| I have been running ip masquerading for about a month. I have noticed a
> >| glitch which may be a timeout issue: when I transfer a large file (10+Mb)
> >| using Netscape on NT, the whole file appears to transfer. Then the little
> >| window just hangs there.
> >
> >This will happen if you are not running the ip_masq_ftp "helper" 
> >module.  As you guessed, it is probably the control connection timing 
> >out while the lengthy data connection is going on.
> >
> >Does lsmod show ip_masq_ftp running?
> 
> ip_masq_ftp is built into the kernel, not a module.

Um, I'm no expert on the masquerading helper modules, but I'm pretty sure
it's not possible (easily) to compile this in as part of the kernel.  I do
know for sure that there is no way to do it with the standard config.

You might want to double check your setup.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] FTP timeout?

[Charles Curley]

It may have been another problem entirely.

I compiled ip masquerading into the kernel to speed things up. What I
didn't know is that that only compiles the basic masquerading stuff into
the kernel. There is no option to make ip_masq_ftp et alia part of the
kernel. Since (having assumed otherwise) I took the modprobe statements out
of my rc.local initialization script, they weren't loaded. Since figuring
out (with the help of another member of the list) that those modules and
the modprobe statments are necessary, I loaded the modules manually. I
think that may have solved the problem, but haven't yet tested it on a
monster file.


At 09:31 PM 1/16/99 -0700, Charles Shoemaker wrote:
>This hasn't happened to me since upgrading to kernel 2.0.  May I 
>suggest a couple of things:  
>
>You can watch the masq action with "ipfwadm -M -l" (little el) and 
>see the port timings.  
>
>You might try a large file transfer with ftp on you NT machine, and 
>see if you have the same problem.  If you do, it's in masquerade, if 
>not, it's in Netscape.
>
>Also, activate the masq ftp module in your rc.local with 
>"/sbin/modprobe ip_masq_ftp.o".
>
>Let us know.
>Charlie Shoemaker
>PS  I spaced out your patch question.  I'll get a reply to you 
>tomorrow.  (If I remember correctly, go to /usr/src/linux and type 
>"patch -p0 -l < ../patchfile".)  Better details tomorrow morning.
>
>> Date:  Sat, 16 Jan 1999 15:21:57 -0700
>> To:[EMAIL PROTECTED]
>> From:  Charles Curley <[EMAIL PROTECTED]>
>> Subject:   [masq] FTP timeout?
>
>> I have been running ip masquerading for about a month. I have noticed a
>> glitch which may be a timeout issue: when I transfer a large file (10+Mb)
>> using Netscape on NT, the whole file appears to transfer. Then the little
>> window just hangs there. If I copy the file before hitting cancel (to
>> preserve it) it is only partially intact. I can copy the same file in with
>> a direct connection with no problem, and I only have seen this when copying
>> via the IP masquerading computer.
>> 
>> Is this an IP masquerading timeout issue? If so, how can I solve it?
>> 
>> Thanks.
>> 
>> 
>> 
>>  -- C^2
>> 
>>  I have sworn upon the altar of God eternal hostility against every form of
>> tyranny over the mind of man.
>> -- Thomas Jefferson, letter to Benjamin Rush, 1800 A.D.
>> 
>> Thomas Jefferson, Patron Saint of the Internet:
>> http://w3.trib.com/~ccurley/Jefferson.html
>> -
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>> For daily digest info, email [EMAIL PROTECTED]
>> 
>"Some people crave baseball - I find this unfathomable - but I can
>easily understand why a person could get excited about playing a
>bassoon."  --  Frank Zappa
>-
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>For daily digest info, email [EMAIL PROTECTED]
>
>

-- C^2

I have sworn upon the altar of God eternal hostility against every form of
tyranny over the mind of man.
-- Thomas Jefferson, letter to Benjamin Rush, 1800 A.D.

Thomas Jefferson, Patron Saint of the Internet:
http://w3.trib.com/~ccurley/Jefferson.html
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP timeout?

[Fred Viles]

On 16 Jan 99, at 15:21, Charles Curley wrote about
"[masq] FTP timeout?":

| I have been running ip masquerading for about a month. I have noticed a
| glitch which may be a timeout issue: when I transfer a large file (10+Mb)
| using Netscape on NT, the whole file appears to transfer. Then the little
| window just hangs there.

This will happen if you are not running the ip_masq_ftp "helper" 
module.  As you guessed, it is probably the control connection timing 
out while the lengthy data connection is going on.

Does lsmod show ip_masq_ftp running?

|...

- Fred Viles <mailto:[EMAIL PROTECTED]>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP timeout?

[Steffen Plotner]

Hi

I have had the same problem with kernel 2.0.29 and the masq_ftp module -
since I have upgraded the kernel to 2.0.33 and also loaded masq_ftp
module the problem went away - does anybody know what exactly it takes
to fix the timeout problem?  I am also running diald.

Thanks

> -Original Message-
> From: Charles Curley [SMTP:[EMAIL PROTECTED]]
> Sent: Saturday, January 16, 1999 5:22 PM
> To:   [EMAIL PROTECTED]
> Subject:  [masq] FTP timeout?
> 
> I have been running ip masquerading for about a month. I have noticed
> a
> glitch which may be a timeout issue: when I transfer a large file
> (10+Mb)
> using Netscape on NT, the whole file appears to transfer. Then the
> little
> window just hangs there. If I copy the file before hitting cancel (to
> preserve it) it is only partially intact. I can copy the same file in
> with
> a direct connection with no problem, and I only have seen this when
> copying
> via the IP masquerading computer.
> 
> Is this an IP masquerading timeout issue? If so, how can I solve it?
> 
> Thanks.
> 
> 
> 
>   -- C^2
> 
>   I have sworn upon the altar of God eternal hostility against
> every form of
> tyranny over the mind of man.
> -- Thomas Jefferson, letter to Benjamin Rush, 1800 A.D.
> 
> Thomas Jefferson, Patron Saint of the Internet:
> http://w3.trib.com/~ccurley/Jefferson.html
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> For daily digest info, email [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] FTP timeout?

[Charles Curley]

I have been running ip masquerading for about a month. I have noticed a
glitch which may be a timeout issue: when I transfer a large file (10+Mb)
using Netscape on NT, the whole file appears to transfer. Then the little
window just hangs there. If I copy the file before hitting cancel (to
preserve it) it is only partially intact. I can copy the same file in with
a direct connection with no problem, and I only have seen this when copying
via the IP masquerading computer.

Is this an IP masquerading timeout issue? If so, how can I solve it?

Thanks.



-- C^2

I have sworn upon the altar of God eternal hostility against every form of
tyranny over the mind of man.
-- Thomas Jefferson, letter to Benjamin Rush, 1800 A.D.

Thomas Jefferson, Patron Saint of the Internet:
http://w3.trib.com/~ccurley/Jefferson.html
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP timeout?

[Charles Curley]

At 10:02 PM 1/16/99 -0800, Fred Viles wrote:
>On 16 Jan 99, at 15:21, Charles Curley wrote about
>"[masq] FTP timeout?":
>
>| I have been running ip masquerading for about a month. I have noticed a
>| glitch which may be a timeout issue: when I transfer a large file (10+Mb)
>| using Netscape on NT, the whole file appears to transfer. Then the little
>| window just hangs there.
>
>This will happen if you are not running the ip_masq_ftp "helper" 
>module.  As you guessed, it is probably the control connection timing 
>out while the lengthy data connection is going on.
>
>Does lsmod show ip_masq_ftp running?

ip_masq_ftp is built into the kernel, not a module.


-- C^2

I have sworn upon the altar of God eternal hostility against every form of
tyranny over the mind of man.
-- Thomas Jefferson, letter to Benjamin Rush, 1800 A.D.

Thomas Jefferson, Patron Saint of the Internet:
http://w3.trib.com/~ccurley/Jefferson.html
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP timeout?

[Charles Shoemaker]

This hasn't happened to me since upgrading to kernel 2.0.  May I 
suggest a couple of things:  

You can watch the masq action with "ipfwadm -M -l" (little el) and 
see the port timings.  

You might try a large file transfer with ftp on you NT machine, and 
see if you have the same problem.  If you do, it's in masquerade, if 
not, it's in Netscape.

Also, activate the masq ftp module in your rc.local with 
"/sbin/modprobe ip_masq_ftp.o".

Let us know.
Charlie Shoemaker
PS  I spaced out your patch question.  I'll get a reply to you 
tomorrow.  (If I remember correctly, go to /usr/src/linux and type 
"patch -p0 -l < ../patchfile".)  Better details tomorrow morning.

> Date:  Sat, 16 Jan 1999 15:21:57 -0700
> To:[EMAIL PROTECTED]
> From:      Charles Curley <[EMAIL PROTECTED]>
> Subject:   [masq] FTP timeout?

> I have been running ip masquerading for about a month. I have noticed a
> glitch which may be a timeout issue: when I transfer a large file (10+Mb)
> using Netscape on NT, the whole file appears to transfer. Then the little
> window just hangs there. If I copy the file before hitting cancel (to
> preserve it) it is only partially intact. I can copy the same file in with
> a direct connection with no problem, and I only have seen this when copying
> via the IP masquerading computer.
> 
> Is this an IP masquerading timeout issue? If so, how can I solve it?
> 
> Thanks.
> 
> 
> 
>   -- C^2
> 
>   I have sworn upon the altar of God eternal hostility against every form of
> tyranny over the mind of man.
> -- Thomas Jefferson, letter to Benjamin Rush, 1800 A.D.
> 
> Thomas Jefferson, Patron Saint of the Internet:
> http://w3.trib.com/~ccurley/Jefferson.html
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> For daily digest info, email [EMAIL PROTECTED]
> 
"Some people crave baseball - I find this unfathomable - but I can
easily understand why a person could get excited about playing a
bassoon."  --  Frank Zappa
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] Ftp across gateway machine

[Doug Lumpkin]

Whenever I try to telnet or ftp to a box behind my gateway I end up with the
following error messages:

Jan 14 02:06:26 takamine in.telnetd[1550]: connect from unknown
Jan 14 02:06:32 takamine in.telnetd[1551]: warning: can't get client address:
Connection reset by peer
Jan 14 02:06:32 takamine in.telnetd[1551]: connect from unknown
Jan 14 02:06:44 takamine in.telnetd[1552]: warning: can't get client address:
Connection reset by peer

Ping seems to work ok though... any ideas?
Thanks,
Doug

I have the following set-up:

Linux box (gateway RH 5.1)  --> ppp0 (12.7.120.83)
   eth0 (12.7.121.239)
Linux Box (takamine)   --> eth0 (12.7.121.240)
Win 95 --> eth (12.7.121.241)
-
My masq setup is:

echo "ip_masq"
/sbin/ipfwadm -F -f
/sbin/ipfwadm -F -p accept
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp.o
/sbin/modprobe ip_masq_raudio.o
/sbin/modprobe ip_masq_irc.o
/sbin/modprobe ipip.o
/sbin/modprobe ip_alias.o
/sbin/ipfwadm -F -a  m -S 12.7.121.0/24 -D 0.0.0.0/0 -W ppp0
/sbin/ifconfig eth0 12.7.121.239
/sbin/route add -net 12.7.121.0
-
And my routing table looks like:

Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
tc1.pacinfo.com *   255.255.255.255 UH0  00 ppp0
12.7.121.0  *   255.255.255.0   U 0  08 eth0
127.0.0.0   *   255.0.0.0   U 0  02 lo
default *   0.0.0.0 U 0  0   17 ppp0
default tc1.pacinfo.com 0.0.0.0 UG0  00 ppp0
--


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] IP Masq - FTP problems

[David A. Ranch]

>I have experimented and found out that only passive ftp sessions work.
>>From a linux box on the lan an ftp session must be switched to "passive"
>before I "NLIST" a directory.
>
>Perhaps this is the way it's supposed to work?

No, active FTPs work for most people as long as they are FTPing to
a remote site on port 21.  Are you using a strong IPFWADM ruleset?
Are you allowing port 20 out?

--DAvid
..
|  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]  |
!!
`- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] IP Masq - FTP problems

[Carl Petersen]

Yes, if i fire up an ftp session on one of the clients the "Used By"
field increments.

I have experimented and found out that only passive ftp sessions work.
>From a linux box on the lan an ftp session must be switched to "passive"
before I "NLIST" a directory.

Perhaps this is the way it's supposed to work?

Next I'll look at the ip_masq_ftp source code and see just what its 
doing?

--Carl 

David A. Ranch wrote:
> 
> No.. to be honest, I don't know what the "Pages" and "Used By"
> fields mean though, when a module is being used, the "Used
> By" field will increment per client.
> 
> So, when you try to FTP out to the internet on port 21, does
> your ip_masq_ftp counter increase?
> 
> --David
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] IP Masq - FTP problems

[David A. Ranch]

>lsmod gives the folling result:
>   Module  Pages   Used By
>   ax88140 3   1 (autoclean)
>   ip_masq_vdo_live1   0
>   ip_masq_cuseeme 1   0
>   ip_masq_irc 1   0
>   ip_masq_raudio  1   0
>   ip_masq_ftp 1   0
>
>This is from a running system.  Should the helpers be "used by"
>some process?

No.. to be honest, I don't know what the "Pages" and "Used By"
fields mean though, when a module is being used, the "Used
By" field will increment per client.

So, when you try to FTP out to the internet on port 21, does
your ip_masq_ftp counter increase?

--David
..
|  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]  |
!!
`- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] IP Masq - FTP problems

[Carl Petersen]

Hi,
The MTU on eth0 is 1500 and ppp0 is 1500.
I've varified that all ip_masq_* modules are loaded.

David A. Ranch wrote:
> 
> What is your Linux box's MTU on the Internet connection?
> 
> --David
> ..
> |  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]  |
> !!
> `- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] IP Masq - FTP problems

[Carl Petersen]

lsmod gives the folling result:
Module  Pages   Used By
ax88140 3   1 (autoclean)
ip_masq_vdo_live1   0
ip_masq_cuseeme 1   0
ip_masq_irc 1   0
ip_masq_raudio  1   0
ip_masq_ftp 1   0

This is from a running system.  Should the helpers be "used by"
some process?

--Carl

Fred Viles wrote:
> 
> That should work fine.  You've verified that the FTP masquerade
> "helper" module (ip_masq_ftp) is loaded?  lsmod should show it.  If
> it's not loaded then masqueraded FTP clients will only work in
> passive mode.
> 
> - Fred Viles 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] IP Masq - FTP problems

[David A. Ranch]

>No, I'm taking about masqueraded client machines connecting to ftp
>servers on the internet. Some ftp clients work some just hang; usually
>on a LIST command.

What is your Linux box's MTU on the Internet connection?

--David
..
|  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]  |
!!
`- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] IP Masq - FTP problems

[Fred Viles]

On 11 Jan 99, at 21:00, Carl Petersen wrote about
"Re:  [masq] IP Masq - FTP problems":

| No, I'm taking about masqueraded client machines connecting to ftp
| servers on the internet. Some ftp clients work some just hang; usually
| on a LIST command.

That should work fine.  You've verified that the FTP masquerade 
"helper" module (ip_masq_ftp) is loaded?  lsmod should show it.  If 
it's not loaded then masqueraded FTP clients will only work in 
passive mode.

- Fred Viles <mailto:[EMAIL PROTECTED]>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] IP Masq - FTP problems

[Carl Petersen]

No, I'm taking about masqueraded client machines connecting to ftp
servers on the internet. Some ftp clients work some just hang; usually
on a LIST command.

-- Carl


Fred Viles wrote:
> 
> Are you talking about outside clients connecting to a masqueraded
> server?  If so, clients using PASV mode (i.e. most web browsers)
> won't work.
> 
> - Fred Viles 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] IP Masq - FTP problems

[David A. Ranch]

>AFAIK this 2000-2020 stuff is not necessary, nor are changing the IPFWADM
>UDP timeouts.  I'm running a 2.0.36 masq right now with the default UDP
>timeout and no special forwarding for ICQ, and have two hosts behind it
>running ICQ with no problems.  I did configure for a non-socks firewall,
>however, and set the firewall timeout to ~1 minute.

Unless you setup IPPORTFW, ICQ Chat won't work though messaging will.

Regarding the changing the of the UDP timeouts, you are right though I
found this option in ICQ later.  If DO need to change the UDP timeout if
you don't change ICQ's firewall timeout.

--David
..
|  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]  |
!!
`- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] IP Masq - FTP problems

[Fred Viles]

On 10 Jan 99, at 10:15, Carl Petersen wrote about
"Re:  [masq] IP Masq - FTP problems":

| Hi,
| I have a new ipmasq setup running just great after I set the mtu on the
| ppp0 interface to 1500. Using Win98, linux, WinNT 5.0and BeOS as
| clients.
| 
| Could someone shed some light on the FTP issue? I seem to have the
| same issue Mr. Engstrom wrote about except the ftp server I'm connecting
| to is on port 21. Some ftp clients hang when attempting a file list and
| others succeed?

Are you talking about outside clients connecting to a masqueraded 
server?  If so, clients using PASV mode (i.e. most web browsers) 
won't work.

- Fred Viles <mailto:[EMAIL PROTECTED]>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] IP Masq - FTP problems

[Corlew, David (GEIS)]

When NOT using PASV, I believe the problem has more to do with the use of
non-standard FTP ports than anything else. From my experience, the masq
software uses a different technique when setting up the masq routing entries
for non-standard versus standard FTP port usage. This causes demasquerading
problems when a FTP server trys to do the data connection back to the client
(using of course, ip info from a prior masq'd PORT command).

Provided that the server can support PASV mode, that would be the favored
solution. Unless your friend's server could be altered to use the standard
21 listening port (which appears to satisfy masq). I, for one would welcome
a solution for non-PASV and non-standard PORT servers.

Regards,
Dave Corlew


-Original Message-
From: David A. Ranch [mailto:[EMAIL PROTECTED]]
Sent: Saturday, January 09, 1999 2:24 PM
To: Carl Engstrom; [EMAIL PROTECTED]
Subject: Re: [masq] IP Masq - FTP problems



>1)  My friend has an ftp site that for some reason I can't get data
transers
from .  I can log in to the >site just fine, but when The site sends me a
directory list, I get a 
>  
>425 can't build data connection:  No route to host
>can't initiate data transfer.
 >
>I can connect to every other site that I've tried.  The site I'm connecting
to
is not at PORT 21 it's at >PORT 2001 and he's running glftpd not the
standard
ftpd from red hat.

Ahhh.. check.  You either need to do FTPs with the PASV mode or
you need to load the ip_masq_ftp module with:

/sbin/insmod ip_masq_ftp ports=21,2001

This is what the /usr/src/linux/net/ipv4/ip_masq_ftp.c source code says:

--
 * Multiple Port Support
 *  The helper can be made to handle up to MAX_MASQ_APP_PORTS (normally
12)
 *  with the port numbers being defined at module load time.  The module
 *  uses the symbol "ports" to define a list of monitored ports, which
can
 *  be specified on the insmod command line as
 *  ports=x1,x2,x3...
 *  where x[n] are integer port numbers.  This option can be put into
 *  /etc/conf.modules (or /etc/modules.conf depending on your config)
 *  where modload will pick it up should you use modload to load your
 *  modules.
 *
 */
--


>2) I can't connect directly with ICQ.  I can send messages through the
server,
but I can't chat or send a >direct message.

Did you properly configure ICQ for:

- non-socks firewall
- limit ports to 2000-2020

Did you change the IPFWADM UDP timeout to 8 minutes?

Did you setup IPPORTFW and forward ports 2000-2020 to your
MASQed ICQ machine?


Anyway, the TrinityOS doc (updated yesterday and today), have all
these settings documented.  Just check out:

11 - Patching, Compiling, and installing IPPORTFW

10 - MASQ startup and advanced firewall rulesets for single and
multi-NIC
setups

--David
.---
-.
|  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]
|
!
!
`- For more detailed info, see http://www.ecst.csuchico.edu/~dranch
-'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] IP Masq - FTP problems

[Carl Petersen]

Hi,
I have a new ipmasq setup running just great after I set the mtu on the
ppp0 interface to 1500. Using Win98, linux, WinNT 5.0and BeOS as
clients.

Could someone shed some light on the FTP issue? I seem to have the
same issue Mr. Engstrom wrote about except the ftp server I'm connecting
to is on port 21. Some ftp clients hang when attempting a file list and
others succeed?

Thanks for your time,
Carl Petersen

> Carl Engstrom wrote:
> 
> I've got my IP masq working about 85%, but I still have two nagging
> problems.
> 
> First, let me say.  I have all of the IP_MASQ_X modules loaded and
> compiled into the kernel.
> 
> 1)  My friend has an ftp site that for some reason I can't get data
> transers from .  I can log in to the site just fine, but when The site
> sends me a directory list, I get a
> 
> 425 can't build data connection:  No route to host
> can't initiate data transfer.
>
-- snip -- 
> Carl Engstrom
> 
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] IP Masq - FTP problems

[mumford]

On Sat, 9 Jan 1999, David A. Ranch wrote:

> >2) I can't connect directly with ICQ.  I can send messages through the server,
> but I can't chat or send a >direct message.
> 
> Did you properly configure ICQ for:
> 
>   - non-socks firewall
>   - limit ports to 2000-2020
>   
> Did you change the IPFWADM UDP timeout to 8 minutes?
> 
> Did you setup IPPORTFW and forward ports 2000-2020 to your
> MASQed ICQ machine?

AFAIK this 2000-2020 stuff is not necessary, nor are changing the IPFWADM
UDP timeouts.  I'm running a 2.0.36 masq right now with the default UDP
timeout and no special forwarding for ICQ, and have two hosts behind it
running ICQ with no problems.  I did configure for a non-socks firewall,
however, and set the firewall timeout to ~1 minute.
 
Glenn Lamb - [EMAIL PROTECTED]  Finger for my PGP Key.
Email to me must have my address in either the To: or Cc: field.  All other
mail will be bounced automatically as spam.
PGPprint = E3 0F DE CC 94 72 D1 1A  2D 2E A9 08 6B A0 CD 82

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] IP Masq - FTP problems

[David A. Ranch]

>1)  My friend has an ftp site that for some reason I can't get data transers
from .  I can log in to the >site just fine, but when The site sends me a
directory list, I get a 
>  
>425 can't build data connection:  No route to host
>can't initiate data transfer.
 >
>I can connect to every other site that I've tried.  The site I'm connecting to
is not at PORT 21 it's at >PORT 2001 and he's running glftpd not the standard
ftpd from red hat.

Ahhh.. check.  You either need to do FTPs with the PASV mode or
you need to load the ip_masq_ftp module with:

/sbin/insmod ip_masq_ftp ports=21,2001

This is what the /usr/src/linux/net/ipv4/ip_masq_ftp.c source code says:

--
 * Multiple Port Support
 *  The helper can be made to handle up to MAX_MASQ_APP_PORTS (normally 12)
 *  with the port numbers being defined at module load time.  The module
 *  uses the symbol "ports" to define a list of monitored ports, which can
 *  be specified on the insmod command line as
 *  ports=x1,x2,x3...
 *  where x[n] are integer port numbers.  This option can be put into
 *  /etc/conf.modules (or /etc/modules.conf depending on your config)
 *  where modload will pick it up should you use modload to load your
 *  modules.
 *
 */
--


>2) I can't connect directly with ICQ.  I can send messages through the server,
but I can't chat or send a >direct message.

Did you properly configure ICQ for:

- non-socks firewall
- limit ports to 2000-2020

Did you change the IPFWADM UDP timeout to 8 minutes?

Did you setup IPPORTFW and forward ports 2000-2020 to your
MASQed ICQ machine?


Anyway, the TrinityOS doc (updated yesterday and today), have all
these settings documented.  Just check out:

11 - Patching, Compiling, and installing IPPORTFW

10 - MASQ startup and advanced firewall rulesets for single and multi-NIC
setups

--David
..
|  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]  |
!!
`- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] IP Masq - FTP problems

[Carl Engstrom]

I've got my IP masq working about 85%, but I 
still have two nagging problems.
 
First, let me say.  I have all of the 
IP_MASQ_X modules loaded and compiled into the kernel.
 
1)  My friend has an ftp site that for some 
reason I can't get data transers from .  I can log in to the site just 
fine, but when The site sends me a directory list, I get a 
 
425 can't build data connection:  No route 
to host
can't initiate data transfer.
 
I can connect to every other site that I've 
tried.  The site I'm connecting to is not at PORT 21 it's at PORT 2001 and 
he's running glftpd not the standard ftpd from red hat.
 
2) I can't connect directly with ICQ.  I 
can send messages through the server, but I can't chat or send a direct 
message.
 
BACKGROUND:
 
I'm 1 month into Linux/Unix.  I'm running 
Red Hat 5.2 and I have the following RC.LOCAL file:
 
path=/sbin:/bin:/etc:
 
echo "ip_masq 192.168.100.1"echo "1" 
> /proc/sys/net/ipv4/ip_forward
 
/sbin/insmod 3c509.o/sbin/insmod 3c59x.o
 
/sbin/modprobe 3c509
 
/sbin/depmod -a/sbin/modprobe 
ip_masq_ftp/sbin/modprobe ip_masq_raudio/sbin/modprobe 
ip_masq_irc#/sbin/ifconfig -a eth1 192.168.100.10/24 -D 
0.0.0.0/0#/sbin/route add -net 24.1.168.74
 
 
I've read the Man Pages and 
the How-to files.  I even went through the TrinityOS paper (A little over 
my head)
 
Any help would be appreciated.
 
Thanks
 
Carl Engstrom
 
 

Re: [masq] FW: masq FTP help!

[Tim Fletcher]

> Thanks for your response! I'm pretty sure I've configured for the 
> ftp module to be masqing, because I use ftp quite a bit and it 
> works fine except for this instance. I think it has to do with
> the way masquerade entries are made in the masq table when 
> ftp is connecting to a non-default port (not 21) and setting up for
> de-masq. 
> 
> For ftp i'm using: "ip_masq_ftp ports=21,12345"
> and of course from the WIN95 box ftp>OPEN xxx.xxx.xxx.xxx 12345

I have tried setting up a none standard port ftp server and I can use it
fine accross my masqing firewall, with no changes to the module is the
remote host using a none standard protacal as well?

> My guess is that ip_masq_ftp somehow manages for default
> ftp ports 20 and 21 but doesn't for non-default ports?
> Maybe the ipportfw is the answer.

If you have problems tcpdump the connection and see which ports the data
is coming back on and forward 'em staight to the win95 box.

  Tim Fletcher  .~.
/V\   L   I   N   U   X   
   [EMAIL PROTECTED]   // \\  >Don't fear the penguin<
  /(   )\
   ^^-^^

Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum
immane mittam (For non-latiners: "I have a catapult. Give me all the
money, or I will fling an enormous rock at your head.")

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FW: masq FTP help!

[Corlew, David (GEIS)]

Thanks for your response! I'm pretty sure I've configured for the 
ftp module to be masqing, because I use ftp quite a bit and it 
works fine except for this instance. I think it has to do with
the way masquerade entries are made in the masq table when 
ftp is connecting to a non-default port (not 21) and setting up for
de-masq. 

For ftp i'm using: "ip_masq_ftp ports=21,12345"
and of course from the WIN95 box ftp>OPEN xxx.xxx.xxx.xxx 12345

The PORT statement is getting manipulated on the linux -
example: PORT 10.0.1.1.5.142 is changed to
 PORT 204.90.180.84.239.71  (this what the ftp server receives)
and entries are made to masq tables on linux (I don't know specifically
if they are correct) but ..

ipfwadm -M -l shows:

prot expire   source destinationports
tcp  01:06:53 win95.domain   mainframe.com  1422 (61255) --> 0

and /proc/net/ip_masquerade shows:

Prc FromIP   FPrt  ToIP TPrt Masq
TCP 0A000102:058E  CX93AE0E: EF47  0  0  16218


My guess is that ip_masq_ftp somehow manages for default
ftp ports 20 and 21 but doesn't for non-default ports?
Maybe the ipportfw is the answer.

Any help would be greatly appreciated.

Dave Corlew



-Original Message-
From: Tim Fletcher [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 16, 1998 10:19 AM
To: Corlew, David (GEIS)
Cc: [EMAIL PROTECTED]
Subject: Re: [masq] FW: masq FTP help!


> > My problem is with ftp! It works successfully using client on win95 box
to
> > ftp server (control and data connections) using OPEN host.
> > No problem. But I have a REAL need to open to a certain host server that
> > is enabled to a specific non-default port. OPEN  pp
> > The control connection works just fine. However, any PORT protocol
command
> > for this type connection is not masq'd. so data connections can't reach
my
> > win95 machine. Could anyone help with this one. 

It sounds like you haven't installed the ftp module for ip masqing

> Note: The server in question is proprietary and does not support PASV. I
> have also tried specifying the special port in the "ip_masq_ftp
ports=n"
> and did notice at least the server received a masqueraded port command (in
> the range 61000-61499) but could not make successful data connection back
to
> my client.

Try using ipportfw from ethier a 2.1.124+ kernel or a patch agaist 2.0.35,
I can't rember were I found the patch bu it works very well. I can use an
nfs server behind the firewall and other fun things. I can mail the patch
and the control progie src to you if you want.


  Tim Fletcher  .~.
/V\   L   I   N   U   X   
   [EMAIL PROTECTED]   // \\  >Don't fear the penguin<
[EMAIL PROTECTED]   /(   )\
   ^^-^^
Software, n.:   
Formal evening attire for female computer analysts.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FW: masq FTP help!

[Tim Fletcher]

> > My problem is with ftp! It works successfully using client on win95 box to
> > ftp server (control and data connections) using OPEN host.
> > No problem. But I have a REAL need to open to a certain host server that
> > is enabled to a specific non-default port. OPEN  pp
> > The control connection works just fine. However, any PORT protocol command
> > for this type connection is not masq'd. so data connections can't reach my
> > win95 machine. Could anyone help with this one. 

It sounds like you haven't installed the ftp module for ip masqing

> Note: The server in question is proprietary and does not support PASV. I
> have also tried specifying the special port in the "ip_masq_ftp ports=n"
> and did notice at least the server received a masqueraded port command (in
> the range 61000-61499) but could not make successful data connection back to
> my client.

Try using ipportfw from ethier a 2.1.124+ kernel or a patch agaist 2.0.35,
I can't rember were I found the patch bu it works very well. I can use an
nfs server behind the firewall and other fun things. I can mail the patch
and the control progie src to you if you want.


  Tim Fletcher  .~.
/V\   L   I   N   U   X   
   [EMAIL PROTECTED]   // \\  >Don't fear the penguin<
[EMAIL PROTECTED]   /(   )\
   ^^-^^
Software, n.:   
Formal evening attire for female computer analysts.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] FW: masq FTP help!

[Corlew, David (GEIS)]

> I've successfully implemented ip masquerading on a local network (win95 pc
> 10.0.1.2 and linux pc 10.0.1.1). I'm using  PPP connection from linux to
> the world and everything works great. Am able to use browser, telnet,
> ms-exchange server to outlook etc. etc.
> My problem is with ftp! It works successfully using client on win95 box to
> ftp server (control and data connections) using OPEN host.
> No problem. But I have a REAL need to open to a certain host server that
> is enabled to a specific non-default port. OPEN  pp
> The control connection works just fine. However, any PORT protocol command
> for this type connection is not masq'd. so data connections can't reach my
> win95 machine. Could anyone help with this one. 
> 
Note: The server in question is proprietary and does not support PASV. I
have also tried specifying the special port in the "ip_masq_ftp ports=n"
and did notice at least the server received a masqueraded port command (in
the range 61000-61499) but could not make successful data connection back to
my client.

> Thanks in advance,
> Dave Corlew
> 
> PS: I've set this configuration up so that I can stay connected with PPP
> to the remote host server on special port and do end-to-end testing from
> both the win95 and linux ftp clients. Any help would be greatly
> appreciated.
> 
> 
> 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] Masq/FTP/ipchains

[Clint Todish]

I posted a similar message recently to a Usenet group. Hopefully,
you guys will know better:

I got my Austin Roadrunner service up and running with Linux
(Redhat 5.1 + kernel 1.2.126) masquerading a RFC1918 network. 
Surprisingly, there is currently no need for the authorization 
process in my area - I suppose I'll need to watch out for this. 
There should be a temporary kludge to get it working by running
the authorization program on an internal NT box - we'll see. I 
plan on writing a Linux based process should the need arise.

My question to anyone with ipfw experience is this:

I would like to open inbound ftp-data sourced requests but only
to my masqueraded boxes (to prevent someone manually sourcing
the ftp-data port and breaking my firewall). The ftp masq module
should take care of any security problems, but since the ipfw stuff
is only based on 'real' IP's on the unsecured side, I can't seem to
do this. Am I right in assuming this is the case or is there a way
to match incoming requests on a 'post masquerade' basis? Essentially,
I'd like to do something like:

ipchains -A input -i eth0 -p TCP -y -s 0.0.0.0/0 ftp-data -d RFCNET/24 -j ACCEPT

where eth0 = RoadRunner connection and RFCNET = my 1918 internal network.

or for a step by step description:

1) packet comes in sourced with ftp-data port
2) input filter let's it through
3) masquerade either handles it or passes it though
4) ipfw blocks the packet if masq can't handle it.

hopefully, this makes some kind of sense.
thanks!
-C

oh! btw, does anyone have experience setting up GRE tunnels with 
Linux? I'd be very interested in hearing from you...
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] FTP server behind masquerade: PASV mode impossible?

[R. Argentini]

I'm asking this on behalf of a friend of mine, who isnt subscribed to this
list. This question is however of pretty general nature and could as well
have been mine ;-)
This friend of mine would like to run an FTP server on a computer that sits
behind the masquerade. 
We have redirected a couple of ports, and now i'm able to ftp using the
active mode. Netscape, leapFTP and other popular tools however, use passive
mode. This results in the client trying to connect to a high port number on
a nonexistant ip (e.g. 10.1.1.2) to haul his data over.
We have found no way to solve this problem, and i would like any help you
can offer me.
Please not this is the exact reverse situation of an active mode ftp *from*
the host behind the firewall to an internet host, so presumably an
adaptation of the FTP kernel module should do the trick. 
Regretfully i am not capable of implementing this.

Thanks for your time,

R.A.




--
Signature intentionally left blank.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP problems - no route to host

[Matthew McGehrin]

On 8 Aug 98, at 19:38, Ryan wrote:

> 220 Exhilirate (glFtpD v1.9.5) ready.
> User (ftp.ml.org:(none)): Apollyon
> 331 Password required for Apollyon.
> Password:
> 230 User Apollyon logged in.
> ftp> ls
> 200 PORT command successful.
> 425 Can't build data connection: No route to host.\

Which site are you ftping to? It would be helpfull if you included that in your report.

Also are you doing any port filters?

FTP is a two - port protocol, ports 20 and 21. Perhaps you are blocking one, and 
allowing the other?

Are you connecting via satellite or a cable modem that requires you to connect to a 
local isp and receive your internet access one way? perhaps there are routing 
problems.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP problems - no route to host

[Fuzzy Fox]

Ryan <[EMAIL PROTECTED]> wrote:
>
> 220 Exhilirate (glFtpD v1.9.5) ready.
> User (ftp.ml.org:(none)): Apollyon
> 331 Password required for Apollyon.
> Password:
> 230 User Apollyon logged in.
> ftp> ls
> 200 PORT command successful.
> 425 Can't build data connection: No route to host.

Turn on "debug" in your ftp session and you will probably see the
reason.  You are sending a PORT command with your private IP address,
and the remote ftpd can't route to that host directly.

The ip_masq_ftp module is supposed to take care of this, but you have to
load it manually.

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)  ||   "Her lips said 'No,' but her
sometimes known as David DeSimone  ||eyes said 'Read my lips!'"
  http://www.dallas.net/~fox/  ||
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP problems - no route to host

[Chris Johnson]

On Sat, Aug 08, 1998 at 07:38:45PM +1000, Ryan wrote:
> Hi, I personally love ip masquerade but I have one problem, FTP
> 
> When I  ftp to some ftp sites I cannot get a dir listing or transfer files. I
> seem to get around this by using a passive host, but there is a BIG problem
> in this, its VERY unstable. Anyone got any ideas ?
 
> 220 Exhilirate (glFtpD v1.9.5) ready.
> User (ftp.ml.org:(none)): Apollyon
> 331 Password required for Apollyon.
> Password:
> 230 User Apollyon logged in.
> ftp> ls
> 200 PORT command successful.
> 425 Can't build data connection: No route to host.
 
You need to use the ip_masq_ftp module. Try "insomod ip_masq_ftp." And stick
the following in whatever startup file you use to set up you masquerading
rules:

depmod -a
modprobe ip_masq_ftp
modprobe ip_masq_irc
modprobe ip_masq_raudio
modprobe ip_masq_cuseeme
modprobe ip_masq_vdolive
modprobe ip_masq_quake

Chris Johnson
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] FTP problems - no route to host

[Ryan]

Hi, I personally love ip masquerade but I have 
one problem, FTP
 
When I  ftp to some ftp sites I cannot get 
a dir listing or transfer files. I seem to get around this by using a passive 
host, but there is a BIG problem in this, its VERY unstable. Anyone got any 
ideas ?
 
220 Exhilirate (glFtpD v1.9.5) ready.User 
(ftp.ml.org:(none)): Apollyon331 Password required for 
Apollyon.Password:230 User Apollyon logged in.ftp> ls200 PORT 
command successful.425 Can't build data connection: No route to 
host.

Re: [masq] [masq] Ftp module for ip_masq

[Sandy Coyne]

At 02:03 PM 6/26/98 +1000, Dave wrote:
>Greetings.
>
>Mine is in /lib/modules/2.0.33/ipv4 (the 2.0.33 bit stems from the 
>fact that I am running kernel 2.0.33 - if you are running a different 
>kernel this part of the path will be different) and the module for 
>FTP is called ip_masq_ftp.o

I would also remind you that if you recompile a kernel yourself, you have
to "make modules" and then "make modules_install" or you won't find any
modules in that directory.

>Note that all these suggestions are based on Slackware 3.4 kernel 
>2.0.33, other distributions might store the files in slightly 
>different directories, but it should be close.

FYI Redhat 5, which I have, puts 'em in the same place.

Ciao,
--
Sandy Coyne, obviously "Flying is the second greatest experience
[EMAIL PROTECTED] known to man. Landing is the first"
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] Ftp module for ip_masq

[Dave]

Greetings.

Mine is in /lib/modules/2.0.33/ipv4 (the 2.0.33 bit stems from the fact that I am 
running kernel 2.0.33 - if you are running a different kernel this part of the path 
will be different) and the module for FTP is called ip_masq_ftp.o

To load it you should do something like this:

/sbin/modprobe ip_masq_ftp

I have placed this line in my /etc/rc.d/rc.modules so that this module is loaded each 
time my Linux box reboots.

To see which modules are loaded do this:

cat /proc/modules

Note that all these suggestions are based on Slackware 3.4 kernel 2.0.33, other 
distributions might store the files in slightly different directories, but it should 
be close.

hth

Dave

--
From:   Ian MacLeod[SMTP:[EMAIL PROTECTED]]
Sent:   Saturday, 27 June 1998 13:52
To: [EMAIL PROTECTED]
Subject:[masq] Ftp module for ip_masq

Hi,

I'm having trouble ftp'ing from the computers hooked to my masq linux
box.  I heard i need a module for ftp'ing and so looked everywhere for
it.  If anyone knows where this is, and maybe some help on how to
install it, i would be so happy.

Thanx in advance,
Ian
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] Ftp module for ip_masq

[Ian MacLeod]

Hi,

I'm having trouble ftp'ing from the computers hooked to my masq linux
box.  I heard i need a module for ftp'ing and so looked everywhere for
it.  If anyone knows where this is, and maybe some help on how to
install it, i would be so happy.

Thanx in advance,
Ian
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] FTP server configuration

[Steve Cherry]

I would like to know how to configure the ftp 
server on a linux box for kernel 2.0.33.  Also how to set up users for 
limited access to directories.  Can this be done?  Or do I have to run 
another program.
 
Steve

Re: [masq] [masq] ftp to WinNT fails

[Karsten Jeppesen]

I'd better be. It is our general firewall.
All other ftp accesses works well.
(Probably about a few hundred a day for about 2 years)
In short: Yes the ftp module is loaded.

Karsten

>Are you sure you are loading the ip_masq_ftp module?
>
>-Joe
>
>Karsten Jeppesen wrote:
>>
>> Anybody has a clue to why a windows NT based ftpserver won't accept contact
>> from within the masqueraded net ?
>>
>> The masq machine it self will be able to, but not a machine from within.
>>
>> Karsten
>>
>> --
>> Dr. Karsten Jeppesen YARC Systems Corporation
>> VP of Development(805) 499 9444
>> Director of the Board
>>
>> -
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>> For daily digest info, email [EMAIL PROTECTED]
>
>--
>Joachim Feise  Microsoft Certified Solution Developer
>mailto:[EMAIL PROTECTED] http://www.ics.uci.edu/~jfeise/
>mailto:[EMAIL PROTECTED]   mailto:[EMAIL PROTECTED]
>-
>-
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>For daily digest info, email [EMAIL PROTECTED]

--
Dr. Karsten Jeppesen YARC Systems Corporation
VP of Development(805) 499 9444
Director of the Board


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] ftp to WinNT fails

[Joachim Feise]

Are you sure you are loading the ip_masq_ftp module?

-Joe

Karsten Jeppesen wrote:
> 
> Anybody has a clue to why a windows NT based ftpserver won't accept contact
> from within the masqueraded net ?
> 
> The masq machine it self will be able to, but not a machine from within.
> 
> Karsten
> 
> --
> Dr. Karsten Jeppesen YARC Systems Corporation
> VP of Development(805) 499 9444
> Director of the Board
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> For daily digest info, email [EMAIL PROTECTED]

-- 
Joachim Feise  Microsoft Certified Solution Developer
mailto:[EMAIL PROTECTED] http://www.ics.uci.edu/~jfeise/
mailto:[EMAIL PROTECTED]   mailto:[EMAIL PROTECTED]
-
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] ftp to WinNT fails

[Karsten Jeppesen]

Anybody has a clue to why a windows NT based ftpserver won't accept contact
from within the masqueraded net ?

The masq machine it self will be able to, but not a machine from within.

Karsten

--
Dr. Karsten Jeppesen YARC Systems Corporation
VP of Development(805) 499 9444
Director of the Board


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] FTP broken

[Bob Simpson]

>
>>For some reason, outgoing FTP does
>>not work anymore.
>
>>The login works, but after that I can't *do* anything.  Other systems
>>complain about the PORT argument being wrong.
>
>I believe you need to load the ip_masq_ftp.o module (try *insmod
>ip_masq_ftp*), or use PASV (passive) mode ftp.  You enter passive mode with
>the command *quote pasv* after logging in.  Not all ftp clients support this
>option correctly, so the best long term fix is to load the module designed to
>fix this problem.
>
>-Bob Simpson
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] FTP broken

[Bill Eldridge]

if [ -f /sbin/depmod ]; then
   /sbin/depmod -a
fi
if [ -f /sbin/modprobe ]; then
   /sbin/modprobe ip_masq_ftp
   /sbin/modprobe ip_masq_raudio
fi
 
--
Bill Eldridge
Radio Free Asia
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Tuesday, May 26, 1998 6:03 PM
Subject: [masq] FTP broken


>Hello,
>
>I am not sure what happened or when.  I set up IP Masquerade on a Linux
>Box (slakware 2.0.30) and had telnet, FTP and HTTP working from a number
>of machines behind the linux machine.  For some reason, outgoing FTP does
>not work anymore.  To make matters worse, I am so new to linux, that I
>don't know where to start looking.  I have set up a minimum system and did
>not intentionally filter any packets when set things up.
>
>After setting up eth0 & eth1, I set up for masqurade with:
>
>  echo "1" /proc/sys/net/ipv4/ip_forward
>  ipfwadm -F -a m -S 192.168.200.0/24 -D 0.0.0.0/0
>
>Here is a typical attempt to use FTP from my internal system to a system
>elseware on the internet.  If I use a dialup connection from the same
>machine I have no problems.
>--
>Name (brentwoodlake): brentwoodlake
>331 Password required for brentwoodlake
>Password: .
>230 User brentwoodlake logged in.  Access restrictions apply.  ftp> ls
>500 Illegal PORT Command
>ftp> ls
>500 Illegal PORT Command
>ftp> cd ..
>250 CWD command successful.
>ftp> ls
>500 Illegal PORT Command
>ftp>
>
>
>The login works, but after that I can't *do* anything.  Other systems
>complain about the PORT argument being wrong.
>
>Thanks in advance,
>Mark Stamos
>
>
>
>--  
>---
>[EMAIL PROTECTED]
>
>PGP PUBLIC KEY:
> finger [EMAIL PROTECTED]
>--
>
>-
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>For daily digest info, email [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] FTP broken

[mstamos]

Hello,

I am not sure what happened or when.  I set up IP Masquerade on a Linux
Box (slakware 2.0.30) and had telnet, FTP and HTTP working from a number
of machines behind the linux machine.  For some reason, outgoing FTP does
not work anymore.  To make matters worse, I am so new to linux, that I
don't know where to start looking.  I have set up a minimum system and did
not intentionally filter any packets when set things up.

After setting up eth0 & eth1, I set up for masqurade with:

  echo "1" /proc/sys/net/ipv4/ip_forward
  ipfwadm -F -a m -S 192.168.200.0/24 -D 0.0.0.0/0

Here is a typical attempt to use FTP from my internal system to a system
elseware on the internet.  If I use a dialup connection from the same
machine I have no problems.
--
Name (brentwoodlake): brentwoodlake
331 Password required for brentwoodlake
Password: .
230 User brentwoodlake logged in.  Access restrictions apply.  ftp> ls
500 Illegal PORT Command
ftp> ls
500 Illegal PORT Command
ftp> cd ..
250 CWD command successful.
ftp> ls
500 Illegal PORT Command
ftp>


The login works, but after that I can't *do* anything.  Other systems
complain about the PORT argument being wrong.

Thanks in advance,
Mark Stamos



--  
---
[EMAIL PROTECTED]

PGP PUBLIC KEY:
 finger [EMAIL PROTECTED]
--

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] ftp and http into masq'd network

[Martin Hammerschmid]

John J Boland wrote:
> 
> howdy,
> 
> no response to my requst from last week, so i'll rephrase the question!
> 
> i've setup masqing on a linux (redhat 2.0.33) server and i am able to
> get out to the rest of the universe from my private lan.  i can telnet,
> ftp, get news, and surf.  basically that part works like a champ.
> now, i'm at the next part of the saga.  i would like to setup a web server
> (on NT, yeah i know...) behind the linux firewall and have the nt
> web server visible to the internet.  i also need ftp access into the nt
> box to update web pages.  i've have read the man pages and the how-to's
> for ipfwadm and ipautofw, but i can't understand how to setup the rules
> to get ftp and http request into the nt box.
> 
> to make the process easier(!), i've setup an ftp server on my windoze box
> to start the process (it boots a little faster than nt).  i hope that
> someone else has done this already and can send me their ipfwadm and
> ipautofw rules! or at least point me to the right place(s) to get this
> information.
> 
> thanks!!!

you can forward a port to a webserver behind masq with ipportfw like this:

ipportfw -A -t /80 -R /80

-Martin

== mailto:[EMAIL PROTECTED] ==
=RSA-PGP-Key ID:0x81783FE7 DH-PGP-Key ID:0x6B66589A=

Jone's Principle: "Needs are a function of what other people have."
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] ftp and http into masq'd network

[John J Boland]

howdy,

no response to my requst from last week, so i'll rephrase the question!

i've setup masqing on a linux (redhat 2.0.33) server and i am able to 
get out to the rest of the universe from my private lan.  i can telnet,
ftp, get news, and surf.  basically that part works like a champ.  
now, i'm at the next part of the saga.  i would like to setup a web server
(on NT, yeah i know...) behind the linux firewall and have the nt
web server visible to the internet.  i also need ftp access into the nt
box to update web pages.  i've have read the man pages and the how-to's
for ipfwadm and ipautofw, but i can't understand how to setup the rules
to get ftp and http request into the nt box.

to make the process easier(!), i've setup an ftp server on my windoze box
to start the process (it boots a little faster than nt).  i hope that
someone else has done this already and can send me their ipfwadm and
ipautofw rules! or at least point me to the right place(s) to get this
information.

thanks!!!
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] FTP Server Behind Firewall & PASV FTP ???

[Dave D. Hammond]

I am working on developing a firewall system for a client utilizing
RedHat 5.0 and IP Masquerading. I have pretty much got everything
working to my satisfaction with the exception of one thing.

I have a public FTP Server sitting behind the MASQ machine... I am using
a very minimal set of rules as a result of this problem. I like to start
simple and get everything working before I attempt to tighten things up.
Anyway, I am using ipportfw to bounce all incoming requests received on
port 21 by the MASQ machine to the FTP Server behind the firewall. This
works great with "standard" or "ported" FTP clients (i.e. CuteFTP,
WS_FTP, etc...). However, it does not work so great with PASV FTP
clients like the ones built into many of the standard Web browsers.

Here is my limited understanding of how PASV mode FTP works... I
understand that the incoming "command" channel still comes into the FTP
server on port 21 as with "standard" FTP requests... and I understand
that the server then picks a port >1023 and sends the port number back
to the client so that the client can open a second "data" channel to
that port on the FTP server. Initially I figured that all I had to do
was setup ipautofw on the MASQ machine to bounce all requests received
in that range (>1023) to the FTP server behind the firewall... and as
you have probably guessed... it did not work.

Using a PASV mode FTP client I think I see why... the initial "command"
channel is opened no problem... and it would appear that the servers
reply with the port number is received by the client no problem... the
problem seems to be when the client tries to open the second "data"
channel with the FTP server it tries to open connect to the un-masqed IP
address of the FTP server located behind the firewall..

If anyone has a "work around" or suggestions I would appreciate it... I
am a bit stumped on this one since the IP address must be coming in to
the client as part of the FTP servers port response ???

Thanks,

Dave Hammond
Network Administrator - EZ-Net
[EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] Ftp server behind firewall?

[Hans E. Kristiansen]

I would like to propose a workaround ( I have the same challenge ).

Mount the NT / Win95 as smb shares, and make them available for ftp from the
Linux box.

Thanks,
Hans


> -Original Message-
> From: Mark [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, March 18, 1998 19:14
> To: [EMAIL PROTECTED]
> Subject: Re: [masq] Ftp server behind firewall?
>
>
> Well I can't give you the answer to your problem, but I do have a
> work-around.  I am in a similar situation but my NT box also boots to
> Linux.  Ftp works fine in NT using War FTPD, but when I boot to Linux I
get
> that bind error.  You can get War software at
> http://www.jgaa.com/downloadpage.htm .  I think it may have to do with the
> 'Fool my brain dead ISP! (dont bind to port 20)' option, but I know little
> about this.  That's your best bet.  It's a great program too.
>
> As for me, I'd rather be in Linux more but I cant find a way around that
> bind problem.  If you hear anything, let me know please.  I have asked the
> same question here and got no respose.  Lets hope you do.
>
>
> At 12:26 AM 3/18/98 -0500, you wrote:
> >
> > I have a need for there to be a ftp server behind the firewall,
> >I am assuming that it can be done.  I have used redir for port 21 and can
> >connect to the server but when I try to get a listing or file it spits
> this at
> >me:
> >
> >ftp> ls
> >500 Invalid PORT Command.
> >ftp: bind: Address already in use
> >ftp> ls
> >500 Invalid PORT Command.
> >ftp> dir
> >500 Invalid PORT Command.
> >
> >I have tried using redir on port 20 and using udpred on 21 and 20 but
keep
> >getting the same error messages, I have not yet tried ipautofw.
> >The machine is a NT box with the microsoft ftp server; I don't think that
it
> >makes a difference.
> >
> >--
> >Andrew L. Davis  Network Operations
> >[EMAIL PROTECTED]ViperLink International
> >-
> >To unsubscribe, e-mail: [EMAIL PROTECTED]
> >For additional commands, e-mail: [EMAIL PROTECTED]
> >For daily digest info, email [EMAIL PROTECTED]
> >
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> For daily digest info, email [EMAIL PROTECTED]
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] Ftp server behind firewall?

[Mark]

Well I can't give you the answer to your problem, but I do have a
work-around.  I am in a similar situation but my NT box also boots to
Linux.  Ftp works fine in NT using War FTPD, but when I boot to Linux I get
that bind error.  You can get War software at
http://www.jgaa.com/downloadpage.htm .  I think it may have to do with the
'Fool my brain dead ISP! (dont bind to port 20)' option, but I know little
about this.  That's your best bet.  It's a great program too.  

As for me, I'd rather be in Linux more but I cant find a way around that
bind problem.  If you hear anything, let me know please.  I have asked the
same question here and got no respose.  Lets hope you do.


At 12:26 AM 3/18/98 -0500, you wrote:
>
>   I have a need for there to be a ftp server behind the firewall, 
>I am assuming that it can be done.  I have used redir for port 21 and can 
>connect to the server but when I try to get a listing or file it spits
this at 
>me:  
>
>ftp> ls
>500 Invalid PORT Command.
>ftp: bind: Address already in use
>ftp> ls
>500 Invalid PORT Command.
>ftp> dir
>500 Invalid PORT Command.
>
>I have tried using redir on port 20 and using udpred on 21 and 20 but keep
>getting the same error messages, I have not yet tried ipautofw.
>The machine is a NT box with the microsoft ftp server; I don't think that it 
>makes a difference.
>
>-- 
>Andrew L. DavisNetwork Operations
>[EMAIL PROTECTED]  ViperLink International
>-
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>For daily digest info, email [EMAIL PROTECTED]
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] Ftp server behind firewall?

[Andrew L. Davis]

I have a need for there to be a ftp server behind the firewall, 
I am assuming that it can be done.  I have used redir for port 21 and can 
connect to the server but when I try to get a listing or file it spits this at 
me:  

ftp> ls
500 Invalid PORT Command.
ftp: bind: Address already in use
ftp> ls
500 Invalid PORT Command.
ftp> dir
500 Invalid PORT Command.

I have tried using redir on port 20 and using udpred on 21 and 20 but keep
getting the same error messages, I have not yet tried ipautofw.
The machine is a NT box with the microsoft ftp server; I don't think that it 
makes a difference.

-- 
Andrew L. Davis Network Operations
[EMAIL PROTECTED]   ViperLink International
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]