[ previous ] [ next ] [ threads ]
 
 From:  "Jim" <jwells at networksisp dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Passive Mode FTP
 Date:  Thu, 7 Apr 2005 10:31:03 -0400
Thanks for the feedback thus far

Simon I have went as far in testing as opening * * all ports both incoming 
and outgoing with the same results so
I am fairly confident it is not a problem with my rules since it does 
connect but takes 70 sec to perform
a directory listing the first time.

Christian Thanks for the input and I am putting the old firewall back in 
place for now
in order to resolve this very important problem for my end users.

If anyone else has more to offer please let me know. I want to help resolve 
this issue
with my monowall. Linux firewall's don't seem to have this same issue. 
According to another
source the modprobe: ip_conntrack_ftp ip_nat_ftp in linux resolves the same 
issues.
I love FreeBSD and Monowall and have many installed so don't get the wrong 
idea
that I am abandoning it because I am not.

Thanks

Jim


----- Original Message ----- 
From: "Christian Rohmann" <Christian dot Rohmann at gmx dot de>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Thursday, April 07, 2005 8:32 AM
Subject: Re: [m0n0wall] Passive Mode FTP


> As suggested multiple times a layer7 IP filter would be able to be 
> stateful even with such bugging protocols like FTP.
> And most important they increase the securty of the whole thing because 
> they "follow" the protocols. This protects the machines exposed to the 
> internet even more.
> It's just like Ciscos PIXes have "fixup" at layer7 following DNS queries 
> for example and making sure they follow the rules i.e. having a certain 
> lengh.
>
> I understand that the devs want m0n0wall to be as slim as possible, but 
> having VPNs is just as CPU intense as having a more sophisticated 
> filtering.
>
>
>
> Greetings
>
> Christian
>
>
> Simon SZE-To wrote:
>
>>hello,
>>
>>you will need to create firewall rules for those ftp passive port, 
>>m0n0wall don't have ip connect track like Linux.
>>
>>
>>On Apr 7, 2005 11:54 AM, Jim <jwells at networksisp dot com> wrote:
>>
>>>I have a Redhat server running vsftpd behind 1:1 NAT
>>>MAC / Linux users are reporting timeouts. I can reproduce
>>>the problem. I can connect with no problems but when I attempt dir
>>>then 70 seconds later I get a directory list. The next dir command is
>>>very fast. Only the initial one is slow. I have tried several changes
>>>to vsftpd.conf with no changes still 70 sec. The log files shows high 
>>>port
>>>connections from the client to the server and from the server to
>>>the client. Microsoft FTP clients have no problems at all since they
>>>use active FTP.
>>>
>>>Any idea what is causing the slow down ?
>>>
>>>I did not have this problem with my previous firewall. It only started
>>>after I deployed Monowall. I am running 1.11 since this is a production
>>>system.
>>>All other servers and services are working very well.
>>>
>>>Thanks
>>>
>>>Jim