Re: [Shorewall-users] FTP active mode issue with server in dmz via proxarp

Fri, 11 Jan 2013 08:27:10 -0800 

On 01/11/2013 08:00 AM, Dario Lesca wrote:

>>
>> What do you see in the system log when transfer fails? Have you looked
>> at http://www.shorewall.net/FTP.html?
> Yes, I have read this howto .... but not help me.
> 
> Note witch the active connection work only to server NAT, and NOT work
> whit server without NAT (local fw and proxyarp dmz)
> 
> In the firewall system log I see nothing.
> This is the tcpdump of my transaction test script to my server in DMZ
> proxyarp:
> 
> Script ftp (ftp.exe winxp)
>> open my.host
>> user
>> pass
>> dir
>> quit

That would have been a lot more helpful if you would have turned on
debugging before entering the dir command (and yes -- ftp.exe does
support that command).

> 
> tcpdump output:
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
>> 16:43:22.419128 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [S], seq 
>> 987061752, win 64240, options [mss 1460,nop,nop,sackOK], length 0
>> 16:43:22.419519 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [S.], seq 
>> 2138978079, ack 987061753, win 14600, options [mss 1460,nop,nop,sackOK], 
>> length 0
>> 16:43:22.451208 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [.], ack 
>> 1, win 64240, length 0
>> 16:43:22.454465 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq 
>> 1:321, ack 1, win 14600, length 320
>> 16:43:22.492989 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq 
>> 1:18, ack 321, win 63920, length 17
>> 16:43:22.493290 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [.], ack 
>> 18, win 14600, length 0
>> 16:43:22.493491 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq 
>> 321:364, ack 18, win 14600, length 43
>> 16:43:22.524427 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq 
>> 18:33, ack 364, win 63877, length 15
>> 16:43:22.536785 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq 
>> 364:407, ack 33, win 14600, length 43
>> 16:43:22.572189 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq 
>> 33:57, ack 407, win 63834, length 24
>> 16:43:22.572674 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq 
>> 407:436, ack 57, win 14600, length 29
>> 16:43:22.603948 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq 
>> 57:63, ack 436, win 63805, length 6
>> 16:43:22.604273 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 
>> 4047120893, win 14600, options [mss 1460,sackOK,TS val 153549838 ecr 
>> 0,nop,wscale 7], length 0
>> 16:43:22.644203 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [.], ack 
>> 63, win 14600, length 0
>> 16:43:23.604254 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 
>> 4047120893, win 14600, options [mss 1460,sackOK,TS val 153550838 ecr 
>> 0,nop,wscale 7], length 0
>> 16:43:25.604288 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 
>> 4047120893, win 14600, options [mss 1460,sackOK,TS val 153552838 ecr 
>> 0,nop,wscale 7], length 0
>> 16:43:29.604286 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 
>> 4047120893, win 14600, options [mss 1460,sackOK,TS val 153556838 ecr 
>> 0,nop,wscale 7], length 0
>> 16:43:37.604409 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 
>> 4047120893, win 14600, options [mss 1460,sackOK,TS val 153564838 ecr 
>> 0,nop,wscale 7], length 0
>> 16:43:53.604521 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 
>> 4047120893, win 14600, options [mss 1460,sackOK,TS val 153580838 ecr 
>> 0,nop,wscale 7], length 0

This above are your FTP server's attempt to connect to port 1363 on the
remote host.

> 
> In the system log of FTP server 3 I see a correct connection with user
> and password and nothing.  
> 
> On the client (ftp.exe for test) I see this:
>> ftp> dir
>> 200 PORT command successful
>> 425 Could not open data connection to port 1353: Connection timed out

That isn't the same port that your server was trying to connect to.

>> ftp>
> NOTE: The port is always different.
> 
> Thanks for help me.
> 

If you send me the real IP address of your server, I'll take a look from
this end.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to