On 01/11/2013 08:23 AM, Tom Eastep wrote: > On 01/11/2013 08:00 AM, Dario Lesca wrote: > >>> >>> What do you see in the system log when transfer fails? Have you looked >>> at http://www.shorewall.net/FTP.html? >> Yes, I have read this howto .... but not help me. >> >> Note witch the active connection work only to server NAT, and NOT work >> whit server without NAT (local fw and proxyarp dmz) >> >> In the firewall system log I see nothing. >> This is the tcpdump of my transaction test script to my server in DMZ >> proxyarp: >> >> Script ftp (ftp.exe winxp) >>> open my.host >>> user >>> pass >>> dir >>> quit > > That would have been a lot more helpful if you would have turned on > debugging before entering the dir command (and yes -- ftp.exe does > support that command). > >> >> tcpdump output: >>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >>> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes >>> 16:43:22.419128 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [S], seq >>> 987061752, win 64240, options [mss 1460,nop,nop,sackOK], length 0 >>> 16:43:22.419519 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [S.], seq >>> 2138978079, ack 987061753, win 14600, options [mss 1460,nop,nop,sackOK], >>> length 0 >>> 16:43:22.451208 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [.], ack >>> 1, win 64240, length 0 >>> 16:43:22.454465 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq >>> 1:321, ack 1, win 14600, length 320 >>> 16:43:22.492989 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq >>> 1:18, ack 321, win 63920, length 17 >>> 16:43:22.493290 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [.], ack >>> 18, win 14600, length 0 >>> 16:43:22.493491 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq >>> 321:364, ack 18, win 14600, length 43 >>> 16:43:22.524427 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq >>> 18:33, ack 364, win 63877, length 15 >>> 16:43:22.536785 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq >>> 364:407, ack 33, win 14600, length 43 >>> 16:43:22.572189 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq >>> 33:57, ack 407, win 63834, length 24 >>> 16:43:22.572674 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq >>> 407:436, ack 57, win 14600, length 29 >>> 16:43:22.603948 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq >>> 57:63, ack 436, win 63805, length 6 >>> 16:43:22.604273 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq >>> 4047120893, win 14600, options [mss 1460,sackOK,TS val 153549838 ecr >>> 0,nop,wscale 7], length 0 >>> 16:43:22.644203 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [.], ack >>> 63, win 14600, length 0 >>> 16:43:23.604254 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq >>> 4047120893, win 14600, options [mss 1460,sackOK,TS val 153550838 ecr >>> 0,nop,wscale 7], length 0 >>> 16:43:25.604288 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq >>> 4047120893, win 14600, options [mss 1460,sackOK,TS val 153552838 ecr >>> 0,nop,wscale 7], length 0 >>> 16:43:29.604286 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq >>> 4047120893, win 14600, options [mss 1460,sackOK,TS val 153556838 ecr >>> 0,nop,wscale 7], length 0 >>> 16:43:37.604409 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq >>> 4047120893, win 14600, options [mss 1460,sackOK,TS val 153564838 ecr >>> 0,nop,wscale 7], length 0 >>> 16:43:53.604521 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq >>> 4047120893, win 14600, options [mss 1460,sackOK,TS val 153580838 ecr >>> 0,nop,wscale 7], length 0
Ah -- I see the real problem here. Your firewall is MASQUERADING outgoing connections from the server. Note that the incoming connection on port 21 is addressed to my.host.42.251 but the outgoing connection is from my.host.42.242! Fix your /etc/shorewall/masq file so that it doesn't masquerade those outgoing connections. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
