[ previous ] [ next ] [ threads ]
 
 From:  Simon SZE-To <simonchs at gmail dot com>
 To:  Jim <jwells at networksisp dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Passive Mode FTP
 Date:  Fri, 8 Apr 2005 01:07:57 +0800
Hello,
 I have the FTP server with 1:1 NAT under m0n0wall too, and I have 
configured as below:
- firewall rules allow port 65000 - 65050 to my server IP
- firewall rules allow port 21 to my server IP
- "MasqueradeAddress" and "PassivePorts" directive of my proftpd.conf
 Both active and passive mode are working.
 

 On Apr 7, 2005 11:04 PM, Jim <jwells at networksisp dot com> wrote: 
> 
> Braden
> 
> Yes I did forward the hig port range 55000 - 65535 ports to port 21 and 
> 20.
> I am sorry I did not spell out all the configurations I attempted :(
> I did change the vsftpd.conf file to the public IP so the pasv clients get
> that back when they connect. The Public IP is static as well.
> 
> I did not use the Seever NAT Tab since I have 1:1 Nat configured
> If I need to try that I will. My understanding is you use either Server 
> NAT
> or 1:1 Nat but not both. I do have the rules set otherwise.
> 
> Jim
> 
> ----- Original Message -----
> From: "Braden McGrath" <braden at mcmail dot homeip dot net>
> To: "Jim" <jwells at networksisp dot com>; <m0n0wall at lists dot m0n0 dot ch>
> Sent: Thursday, April 07, 2005 10:37 AM
> Subject: RE: [m0n0wall] Passive Mode FTP
> 
> Ok, so you opened * * all ports... did you FORWARD them to your FTP
> server in the Server NAT tab?
> 
> Your FTP server should have an option wherein you can configure the port
> range it uses for passive connections. Set that, and then forward (and
> allow) only that range of ports to the FTP server. Also, the server
> should have a setting that lets you specify the EXTERNAL IP address.
> When clients use PASV, if the server is responding using its INTERNAL
> (NATted) IP address, the client won't be able to do anything with that
> as the address is (or should be) non-internet-routable. If you have a
> static IP, you can set and forget, and if you've got a dynamic IP, you
> will have to hope the FTP daemon has facilities for handling that.
> 
> --Braden
> 
> > -----Original Message-----
> > From: Jim [mailto:jwells at networksisp dot com]
> > Sent: Thursday, April 07, 2005 10:31 AM
> > To: m0n0wall at lists dot m0n0 dot ch
> > Subject: Re: [m0n0wall] Passive Mode FTP
> >
> > Thanks for the feedback thus far
> >
> > Simon I have went as far in testing as opening * * all ports
> > both incoming and outgoing with the same results so I am
> > fairly confident it is not a problem with my rules since it
> > does connect but takes 70 sec to perform a directory listing
> > the first time.
> >
> > Christian Thanks for the input and I am putting the old
> > firewall back in place for now in order to resolve this very
> > important problem for my end users.
> >
> > If anyone else has more to offer please let me know. I want
> > to help resolve this issue with my monowall. Linux firewall's
> > don't seem to have this same issue.
> > According to another
> > source the modprobe: ip_conntrack_ftp ip_nat_ftp in linux
> > resolves the same issues.
> > I love FreeBSD and Monowall and have many installed so don't
> > get the wrong idea that I am abandoning it because I am not.
> >
> > Thanks
> >
> > Jim
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>