[ previous ] [ next ] [ threads ]
 
 From:  "Braden McGrath" <braden at mcmail dot homeip dot net>
 To:  "Jim" <jwells at networksisp dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Passive Mode FTP
 Date:  Thu, 7 Apr 2005 10:37:42 -0400
Ok, so you opened * * all ports... did you FORWARD them to your FTP
server in the Server NAT tab?

Your FTP server should have an option wherein you can configure the port
range it uses for passive connections.  Set that, and then forward (and
allow) only that range of ports to the FTP server.  Also, the server
should have a setting that lets you specify the EXTERNAL IP address.
When clients use PASV, if the server is responding using its INTERNAL
(NATted) IP address, the client won't be able to do anything with that
as the address is (or should be) non-internet-routable.  If you have a
static IP, you can set and forget, and if you've got a dynamic IP, you
will have to hope the FTP daemon has facilities for handling that.

--Braden 

> -----Original Message-----
> From: Jim [mailto:jwells at networksisp dot com] 
> Sent: Thursday, April 07, 2005 10:31 AM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Passive Mode FTP
> 
> Thanks for the feedback thus far
> 
> Simon I have went as far in testing as opening * * all ports 
> both incoming and outgoing with the same results so I am 
> fairly confident it is not a problem with my rules since it 
> does connect but takes 70 sec to perform a directory listing 
> the first time.
> 
> Christian Thanks for the input and I am putting the old 
> firewall back in place for now in order to resolve this very 
> important problem for my end users.
> 
> If anyone else has more to offer please let me know. I want 
> to help resolve this issue with my monowall. Linux firewall's 
> don't seem to have this same issue. 
> According to another
> source the modprobe: ip_conntrack_ftp ip_nat_ftp in linux 
> resolves the same issues.
> I love FreeBSD and Monowall and have many installed so don't 
> get the wrong idea that I am abandoning it because I am not.
> 
> Thanks
> 
> Jim
> 
> 
> ----- Original Message -----
> From: "Christian Rohmann" <Christian dot Rohmann at gmx dot de>
> To: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Thursday, April 07, 2005 8:32 AM
> Subject: Re: [m0n0wall] Passive Mode FTP
> 
> 
> > As suggested multiple times a layer7 IP filter would be able to be 
> > stateful even with such bugging protocols like FTP.
> > And most important they increase the securty of the whole 
> thing because 
> > they "follow" the protocols. This protects the machines 
> exposed to the 
> > internet even more.
> > It's just like Ciscos PIXes have "fixup" at layer7 
> following DNS queries 
> > for example and making sure they follow the rules i.e. 
> having a certain 
> > lengh.
> >
> > I understand that the devs want m0n0wall to be as slim as 
> possible, but 
> > having VPNs is just as CPU intense as having a more sophisticated 
> > filtering.
> >
> >
> >
> > Greetings
> >
> > Christian
> >
> >
> > Simon SZE-To wrote:
> >
> >>hello,
> >>
> >>you will need to create firewall rules for those ftp passive port, 
> >>m0n0wall don't have ip connect track like Linux.
> >>
> >>
> >>On Apr 7, 2005 11:54 AM, Jim <jwells at networksisp dot com> wrote:
> >>
> >>>I have a Redhat server running vsftpd behind 1:1 NAT
> >>>MAC / Linux users are reporting timeouts. I can reproduce
> >>>the problem. I can connect with no problems but when I attempt dir
> >>>then 70 seconds later I get a directory list. The next dir 
> command is
> >>>very fast. Only the initial one is slow. I have tried 
> several changes
> >>>to vsftpd.conf with no changes still 70 sec. The log files 
> shows high 
> >>>port
> >>>connections from the client to the server and from the server to
> >>>the client. Microsoft FTP clients have no problems at all 
> since they
> >>>use active FTP.
> >>>
> >>>Any idea what is causing the slow down ?
> >>>
> >>>I did not have this problem with my previous firewall. It 
> only started
> >>>after I deployed Monowall. I am running 1.11 since this is 
> a production
> >>>system.
> >>>All other servers and services are working very well.
> >>>
> >>>Thanks
> >>>
> >>>Jim
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>