[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Christian Rohmann <Christian dot Rohmann at gmx dot de>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Passive Mode FTP
 Date:  Thu, 07 Apr 2005 17:49:25 +0200
On 7.4.2005 14:32 Uhr +0200, Christian Rohmann wrote:

> As suggested multiple times a layer7 IP filter would be able to be
> stateful even with such bugging protocols like FTP.
> And most important they increase the securty of the whole thing
> because they "follow" the protocols. This protects the machines
> exposed to the internet even more.
> It's just like Ciscos PIXes have "fixup" at layer7 following DNS
> queries for example and making sure they follow the rules i.e.
> having a certain lengh.
> I understand that the devs want m0n0wall to be as slim as possible,
> but having VPNs is just as CPU intense as having a more
> sophisticated filtering.

It should be mentioned at this point (and hopefully once and for all)
that ipnat (and thus m0n0wall) does indeed fix up PORT commands sent
by FTP clients behind NAT to FTP servers on the Internet. Therefore,
both active and passive FTP clients can be used behind m0n0wall (as
long as NAT is on, which is the case in almost all setups). What
doesn't work (and that's a limitation in ipnat) is fixup of PASV
responses made by FTP servers behind m0n0wall. So at present, if you
want to run an FTP server behind m0n0wall in passive mode (active
mode is no problem), you need a static WAN IP address and a good FTP
server that allows you to specify the IP address to be returned in
PASV responses. Then, if you map/configure the proper port ranges,
passive FTP servers behind m0n0wall will work too. Other than that,
there are *no* restrictions to using FTP with m0n0wall (aside from
the fact that EPRT/EPSV aren't supported, but these aren't in
widespread use anyway).

- Manuel