[ previous ] [ next ] [ threads ]
 From:  "Jim" <jwells at networksisp dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Passive Mode FTP
 Date:  Thu, 7 Apr 2005 11:04:05 -0400

Yes I did forward the hig port range 55000 - 65535 ports to port 21 and 20.
I am sorry I did not spell out all the configurations I attempted :(
I did change the vsftpd.conf file to the public IP so the pasv clients get
that back when they connect. The Public IP is static as well.

I did not use the Seever NAT Tab since I have 1:1 Nat configured
If I need to try that I will. My understanding is you use either Server NAT
or 1:1 Nat but not both. I do have the rules set otherwise.


----- Original Message ----- 
From: "Braden McGrath" <braden at mcmail dot homeip dot net>
To: "Jim" <jwells at networksisp dot com>; <m0n0wall at lists dot m0n0 dot ch>
Sent: Thursday, April 07, 2005 10:37 AM
Subject: RE: [m0n0wall] Passive Mode FTP

Ok, so you opened * * all ports... did you FORWARD them to your FTP
server in the Server NAT tab?

Your FTP server should have an option wherein you can configure the port
range it uses for passive connections.  Set that, and then forward (and
allow) only that range of ports to the FTP server.  Also, the server
should have a setting that lets you specify the EXTERNAL IP address.
When clients use PASV, if the server is responding using its INTERNAL
(NATted) IP address, the client won't be able to do anything with that
as the address is (or should be) non-internet-routable.  If you have a
static IP, you can set and forget, and if you've got a dynamic IP, you
will have to hope the FTP daemon has facilities for handling that.


> -----Original Message-----
> From: Jim [mailto:jwells at networksisp dot com] 
> Sent: Thursday, April 07, 2005 10:31 AM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Passive Mode FTP
> Thanks for the feedback thus far
> Simon I have went as far in testing as opening * * all ports 
> both incoming and outgoing with the same results so I am 
> fairly confident it is not a problem with my rules since it 
> does connect but takes 70 sec to perform a directory listing 
> the first time.
> Christian Thanks for the input and I am putting the old 
> firewall back in place for now in order to resolve this very 
> important problem for my end users.
> If anyone else has more to offer please let me know. I want 
> to help resolve this issue with my monowall. Linux firewall's 
> don't seem to have this same issue. 
> According to another
> source the modprobe: ip_conntrack_ftp ip_nat_ftp in linux 
> resolves the same issues.
> I love FreeBSD and Monowall and have many installed so don't 
> get the wrong idea that I am abandoning it because I am not.
> Thanks
> Jim