[ previous ] [ next ] [ threads ]
 
 From:  Yaroslav Sokolov <yarick at netmedia dot de>
 To:  Chris Bagnall <m0n0wall at minotaur dot cc>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Problem: Access to remote ftp servers on nonstandard ports
 Date:  Mon, 06 Jun 2005 11:08:08 +0200 
Chris Bagnall wrote:

> Yarick,
> 
> You said:
> 
>>Your suggestion does not work:
>>- on m0n0wall it is enabled outbound connections to port 2100,
>>- a ftp client connects remote ftp server port 2100
>>   through m0n0wall (but not through ftp-proxy, as ftp-proxy
>>   supports only port 21),
>>- the server sais to the client, that it openes port XXX for
>>   passive connection,
>>- m0n0wall _does_not_ create dynamic 'enable' rule for this
>>   "passive connection" port XXX for the remote ftp server 
>>and the local client,
>>- client tries to access port XXX on remote ftp server,
>>- m0n0wall, of course, BLOCKS this connection :-(
>>
>>>>Is there (maybe in beta versions) _any_ possibility to configure 
>>>>m0n0wall to serve such actions ?
> 
> 
> I made the assumption that all outgoing connections from your clients (i.e.
> lan subnet) were allowed (m0n0's default config). In that configuration,
> m0n0 will not block *any* outgoing connections, either to 2100 (your remote
> FTP's connect port) or whatever PASV port is assigned to the client.
> 
> If you aren't allowing unrestricted access from your clients to the net I
> fully agree that this isn't going to work. Is there any particular reason
> why you need to prevent your clients having unrestricted net access?

Unfortunately, yes. It is the company policy :-(

> 
> 
>>>I remember doing this on an old ipchains based firewall 
>>
>>some years ago 
>>
>>>to enable PORT rewriting on 990 - maybe someone else will 
>>
>>know how to 
>>
>>>do something similar with m0n0?
>>
>>Sorry, what kind of port rewriting do you mean? In case of 
>>access to remote ftp servers it works only special ftp proxy, 
>>which knows ftp protocol and rewrites it. Do you mean this or 
>>something else?
> 
> 
> Exactly as you describe. FTP Proxy.
> 
> 
>>p.s. Of course, it is not needed any ftp proxy if it is 
>>enabled all the ports for outbound connections and the ports 
>>are translated one-to-one.
> 
> 
> The ports don't need to be translated one-to-one (m0n0 will still do NAT),
> but clients inside your LAN will need to be able to make outgoing
> connections to the remote FTP's PASV port range. If the remote FTP is under
> your control, you may be able to limit the PASV port range it uses and allow
> your clients to make outbound connections in that range. However, if you
> don't have control over the remote FTP, PASV ports can be anywhere from
> 1025-65535 from what I remember.

Of course remote ftp servers are not under my control...

> 
> Hope this helps.
> 
> Regards,
> 
> Chris

Thanks for such detailed answers,
Yarick.

p.s. Let us wait for extended configuration of ftp-proxy...