[masq] FTP Server Behind Firewall PASV FTP ???
I am working on developing a firewall system for a client utilizing RedHat 5.0 and IP Masquerading. I have pretty much got everything working to my satisfaction with the exception of one thing. I have a public FTP Server sitting behind the MASQ machine... I am using a very minimal set of rules as a result of this problem. I like to start simple and get everything working before I attempt to tighten things up. Anyway, I am using ipportfw to bounce all incoming requests received on port 21 by the MASQ machine to the FTP Server behind the firewall. This works great with "standard" or "ported" FTP clients (i.e. CuteFTP, WS_FTP, etc...). However, it does not work so great with PASV FTP clients like the ones built into many of the standard Web browsers. Here is my limited understanding of how PASV mode FTP works... I understand that the incoming "command" channel still comes into the FTP server on port 21 as with "standard" FTP requests... and I understand that the server then picks a port 1023 and sends the port number back to the client so that the client can open a second "data" channel to that port on the FTP server. Initially I figured that all I had to do was setup ipautofw on the MASQ machine to bounce all requests received in that range (1023) to the FTP server behind the firewall... and as you have probably guessed... it did not work. Using a PASV mode FTP client I think I see why... the initial "command" channel is opened no problem... and it would appear that the servers reply with the port number is received by the client no problem... the problem seems to be when the client tries to open the second "data" channel with the FTP server it tries to open connect to the un-masqed IP address of the FTP server located behind the firewall.. If anyone has a "work around" or suggestions I would appreciate it... I am a bit stumped on this one since the IP address must be coming in to the client as part of the FTP servers port response ??? Thanks, Dave Hammond Network Administrator - EZ-Net [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Ftp server behind firewall?
I would like to propose a workaround ( I have the same challenge ). Mount the NT / Win95 as smb shares, and make them available for ftp from the Linux box. Thanks, Hans -Original Message- From: Mark [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 18, 1998 19:14 To: [EMAIL PROTECTED] Subject: Re: [masq] Ftp server behind firewall? Well I can't give you the answer to your problem, but I do have a work-around. I am in a similar situation but my NT box also boots to Linux. Ftp works fine in NT using War FTPD, but when I boot to Linux I get that bind error. You can get War software at http://www.jgaa.com/downloadpage.htm . I think it may have to do with the 'Fool my brain dead ISP! (dont bind to port 20)' option, but I know little about this. That's your best bet. It's a great program too. As for me, I'd rather be in Linux more but I cant find a way around that bind problem. If you hear anything, let me know please. I have asked the same question here and got no respose. Lets hope you do. At 12:26 AM 3/18/98 -0500, you wrote: I have a need for there to be a ftp server behind the firewall, I am assuming that it can be done. I have used redir for port 21 and can connect to the server but when I try to get a listing or file it spits this at me: ftp ls 500 Invalid PORT Command. ftp: bind: Address already in use ftp ls 500 Invalid PORT Command. ftp dir 500 Invalid PORT Command. I have tried using redir on port 20 and using udpred on 21 and 20 but keep getting the same error messages, I have not yet tried ipautofw. The machine is a NT box with the microsoft ftp server; I don't think that it makes a difference. -- Andrew L. Davis Network Operations [EMAIL PROTECTED]ViperLink International - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Ftp server behind firewall?
Well I can't give you the answer to your problem, but I do have a work-around. I am in a similar situation but my NT box also boots to Linux. Ftp works fine in NT using War FTPD, but when I boot to Linux I get that bind error. You can get War software at http://www.jgaa.com/downloadpage.htm . I think it may have to do with the 'Fool my brain dead ISP! (dont bind to port 20)' option, but I know little about this. That's your best bet. It's a great program too. As for me, I'd rather be in Linux more but I cant find a way around that bind problem. If you hear anything, let me know please. I have asked the same question here and got no respose. Lets hope you do. At 12:26 AM 3/18/98 -0500, you wrote: I have a need for there to be a ftp server behind the firewall, I am assuming that it can be done. I have used redir for port 21 and can connect to the server but when I try to get a listing or file it spits this at me: ftp ls 500 Invalid PORT Command. ftp: bind: Address already in use ftp ls 500 Invalid PORT Command. ftp dir 500 Invalid PORT Command. I have tried using redir on port 20 and using udpred on 21 and 20 but keep getting the same error messages, I have not yet tried ipautofw. The machine is a NT box with the microsoft ftp server; I don't think that it makes a difference. -- Andrew L. DavisNetwork Operations [EMAIL PROTECTED] ViperLink International - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]