[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Passive Mode FTP
 Date:  Tue, 12 Apr 2005 00:29:37 -0700 (PDT)
On Thu, 7 Apr 2005, Manuel Kasper wrote:
> 
> It should be mentioned at this point (and hopefully once and for all)

Good luck! :-)

> that ipnat (and thus m0n0wall) does indeed fix up PORT commands sent
> by FTP clients behind NAT to FTP servers on the Internet. Therefore,
> both active and passive FTP clients can be used behind m0n0wall (as
> long as NAT is on, which is the case in almost all setups). What

And as long as the ephemeral ports are allowed through the firewall, since
IPFilter doesn't poke holes through the firewall automatically for the
data connections.

> doesn't work (and that's a limitation in ipnat) is fixup of PASV
> responses made by FTP servers behind m0n0wall. So at present, if you

Are you sure about that?  I've tested all four combinations of
client/server and active/passive, and they all worked (under 1.2b3 IIRC).  
The only special NAT setup was the obvious redirect for port 21 on the
server side.  But as noted, I had to pass the ephemeral port range, and
some systems have different opinions about what that range is.  The
current recommendation is 49152-65535, but the old range was 1024-5000.

> want to run an FTP server behind m0n0wall in passive mode (active
> mode is no problem), you need a static WAN IP address and a good FTP
> server that allows you to specify the IP address to be returned in
> PASV responses. Then, if you map/configure the proper port ranges,
> passive FTP servers behind m0n0wall will work too. Other than that,
> there are *no* restrictions to using FTP with m0n0wall (aside from
> the fact that EPRT/EPSV aren't supported, but these aren't in
> widespread use anyway).

The OS X client certainly *tries* to use them, and there are probably
others.  Perhaps this is a reason that some people have trouble while
others don't.  Thus, disabling EPSV/EPRT might be worth a try.

Oddly enough, EPSV and EPRT were conceived to *help* NAT routers, but they
don't help much when the code doesn't get updated to handle them. :-)

					Fred Wright