[ previous ] [ next ] [ threads ]
 From:  "Justin Sirois" <justin at onthez dot com>
 To:  "Chris Bagnall" <m0n0wall at minotaur dot cc>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] m0n0wall FTP settings
 Date:  Thu, 17 Feb 2005 19:19:16 -0600
Thanks Chris

Ok, I have set up a rule similar to yours.
Interface | Proto | Source | Port | Dest | Port

WAN  TCP  *  *  athlon650  21 (FTP)
WAN  TCP  *  *  athlon650  20000-20020 (FTP)

I configured my FTP server (guildFTP) to use 20000-20020 for pasive

I'm still unable to reach it.  I get the message
"waiting for server to respond"

If I take m0n0 out of the loop I am able to connect, so I am fairly certain 
something I have set incorrectly.

When you said "You'll also need the equivalent port forwarding rules."
Is this something in addition to the firewall rules?

Sorry I'm still new to m0n0.


>> It looks like that requires a dedicated external IP, and that
>> the FTP is passive.
>> I'm trying to set up active and I don't have a dedicated IP
>> I'm using ZoneEdit as a dynamic DNS.
>> Also, my FTP server isn't assigned a static IP address.
>> Is there an easy way to route ports 20 and 21 to the ftp
>> server based on MAC address, or the hostname?
> I've deleted half of the messages for this thread, so apologies if some of
> this has been covered earlier.
> I'm running an FTP here using a semi-dynamic IP (changes every few weeks)
> and the DynDNS service (similar to ZoneEdit). You do not need a dedicated 
> IP
> for your FTP server. You do not need to forward port 20 at all.
> Here's my firewall setup:
> Proto | Source | Port | Dest | Port
> TCP  *  *  Cronus  21 (FTP)
> TCP  *  *  Cronus  23580 - 23590
> Cronus is an alias pointing to the internal IP of the FTP box. You'll also
> need the equivalent port forwarding rules.
> There is absolutely no need to forward port 20 - it's used for outgoing 
> data
> in active mode only. It's outgoing, not incoming, so the default firewall
> allow rule should catch it.
> What you do need in passive mode, though, is a range of ports to allow the
> server to connect "back" to the client. Choose a few ports (you'll not 
> need
> many - allow the maximum number of concurrent connections you expect to 
> get)
> at random and port forward those. Obviously you'll need to tell your FTP
> server to use this range as its PASV port range (most FTPs will default to
> using any port from 1024-65535 unless you tie them down to specific 
> ports).
> That's it.
> Regards,
> Chris
> -- 
> C.M. Bagnall, Partner, Minotaur
> Tel: (07010) 710715   Mobile: (07811) 332969   ICQ: 13350579
> AIM: MinotaurUK   MSN: minotauruk at hotmail dot com   Y!: Minotaur_Chris
> This email is made from 100% recycled electrons
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch