[ previous ] [ next ] [ threads ]
 
 From:  "Danny Puckett" <dpuckett at comresource dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] PASV FTP
 Date:  Tue, 29 Mar 2005 15:46:18 -0500
I have tried to get this to work using NAT 1:1 but I am not having any luck.
Does 1:1 open all ports up?  Is this a security risk?  I would hate to
switch NAT devices just for FTP.

Danny Puckett
Senior Systems Engineer
CISSP,  MCSE:Security,  Security+,  CNA
> -----Original Message-----
> From: Jean-Francois Theroux [mailto:jftheroux at privalodc dot com]
> Sent: Tuesday, March 29, 2005 1:47 PM
> To: Danny Puckett
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] PASV FTP
> 
> As far as I remember, its a ipfw limitation, and not a m0n0wall one. I
> remember looking it up at some point and finding that lots of people
> under FreeBSD had a similar problem. Solution would be to do 1:1 NAT to
> the internal server. Since I've done that, I've stopped having problems
> with our FTP server.
> 
> We only use FTP to upload files to websites, because otherwise, I would
> put a FTP server directly on the web, using a public IP.
> 
> -jf
> 
> Danny Puckett wrote:
> > I would seem that the FTP service in IIS 6.0 does not allow for
> > masquerading.  I did some digging and found this thread stating that the
> NAT
> > should take care of all the issues and not the FTP server.  Does
> m0n0wall
> > track FTP sessions as suggested?
> >
> > http://www.webservertalk.com/archive121-2004-1-86598.html
> >
> >
> >>-----Original Message-----
> >>From: Frans J King [mailto:frans dot king at f333 dot net]
> >>Sent: Tuesday, March 29, 2005 12:09 PM
> >>To: Danny Puckett; m0n0wall at lists dot m0n0 dot ch
> >>Subject: Re: [m0n0wall] PASV FTP
> >>
> >>I think this is the problem:
> >>
> >>Response: 227 Entering Passive Mode (192,168,2,21,78,51).
> >>
> >>The server is telling the client to connect to a non internet routable
> IP.
> >>You need to configure the FTP server to masquerade its address.
> >>
> >>See this documentation for proftpd:
> >>
> >>http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-NAT.html
> >>
> >>
> >>
> >>----- Original Message -----
> >>From: "Danny Puckett" <dpuckett at comresource dot com>
> >>To: <m0n0wall at lists dot m0n0 dot ch>
> >>Sent: Tuesday, March 29, 2005 5:46 PM
> >>Subject: [m0n0wall] PASV FTP
> >>
> >>
> >>
> >>>I have been trying to get a PASV connection to an FTP server behind
> >>>m0n0wall
> >>>and am not having much luck.  I have configured my PassivePortRange on
> >>
> >>the
> >>
> >>>FTP server per MS article.
> >>>
> >>>http://support.microsoft.com/?id=555022
> >>>
> >>>I have NAT configured as
> >>>
> >>>WAN  TCP  21 (FTP)  192.168.2.21  21 (FTP)  FTPTEST
> >>>WAN  TCP  20000-21000 (FTP)  192.168.2.21  20000-21000 (FTP)  PASSVTEST
> >>>
> >>>And Rules
> >>>
> >>>TCP  *  *  192.168.2.21  21 (FTP)  NAT FTPTEST
> >>>TCP  *  *  192.168.2.21  20000 - 21000  NAT PASVTEST
> >>>
> >>>I am using FileZilla and I receive the following
> >>>
> >>>Response: 220-Microsoft FTP Service
> >>>Response: 220 BI FTP Test Site
> >>>Command: USER dpuckett
> >>>Response: 331 Password required for dpuckett.
> >>>Command: PASS **************
> >>>Response: 230-Hello
> >>>Response: 230 User dpuckett logged in.
> >>>Command: FEAT
> >>>Response: 211-FEAT
> >>>Response:     SIZE
> >>>Response:     MDTM
> >>>Response: 211 END
> >>>Command: SYST
> >>>Response: 215 Windows_NT
> >>>Status: Connected
> >>>Status: Retrieving directory listing...
> >>>Command: PWD
> >>>Response: 257 "/" is current directory.
> >>>Command: PASV
> >>>Response: 227 Entering Passive Mode (192,168,2,21,78,51).
> >>>Command: TYPE A
> >>>Response: 200 Type set to A.
> >>>Command: LIST
> >>>Response: 425 Can't open data connection.
> >>>Error: Could not retrieve directory listing
> >>>
> >>>
> >>>Can anyone tell me what I am doing wrong?
> >>>Thanks
> >>>
> >>>
> >
> >
> 
> --
> Jean-Francois Theroux
> Systems administrator
> PrivalODC
> 450.761.9973
> http://www.privalodc.com
smime.p7s (4.0 KB, application/x-pkcs7-signature)