[ previous ] [ next ] [ threads ]
 From:  "Andrej Fercic" <andrej at pcklinika dot si>
 To:  "'Markus Fischer'" <markus at fischer dot name>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Problem with active ftp
 Date:  Thu, 9 Jun 2005 11:41:43 +0200
Yeap, I have a similar problem.

ISP <> m0n0 <> | FTPserver1 
		 | FTPserver2
		 | FTPserver3

Connection to my ISP is made by using PPPoE which returns an IP (DHCP) and
it is A.B.C.193. I have olsa 5 more Ips which are all used with ServerNAT
option + ProxyARP. So If I set a NAT rule to forward port 21 from WAN to LAN
on default IP to one of my local server, FTP work. Bu I want to enable FTP
on all my servers. So, If I do that and enable a NAT rule for port 21 on all
other Ips, I can reach my FTP server from WAN side, I can LOGIN, but I NEVER
get a file list. At this point is process stoped! 

Any Idea, what is wrong? Setup or it is a bug :(



-----Original Message-----
From: Markus Fischer [mailto:markus at fischer dot name] 
Sent: Thursday, June 09, 2005 10:42 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Problem with active ftp


I'm expiriencing a wierd situation with m0n0wall and active FTP connection
to one of our partner hosts.

I'm opening the ftp connections are for some time (browsing to the rather
big directory structure remotely) works. But often at one point, wenn the
internal PORT command is issued the ftp client seems to hang and later stops
because of a timeout.

Whenever this timeout happens, I find multiple entries in the firewall log:

block | WAN | remote-ip 21 | my-public-gatewat-ip 4000 | TCP

The port of the remote-ip is always 21, the port on the public ip of the
gateway varies but is usually in the range 2000 to 4000 or so.

I have not set up any rule to block these. I even added a rule for testing
to accept all packets from everything to everything, and still I got those
reported as blocked in the firewall log.

I've tested multiple ftp clients, all exhibit the same problem. The
administrator of the remote company said he did many hours of debugging at
its best and could only come to the conclustion that he suspects a problem
in the ftp-nat module of my firewall (m0n0wall). He says his firewall does
state matching he can see that many tcp connections are not correctly
initiated from our firewall; packets are dropped.

I'm using version 1.11, generic-pc.

thanks for any pointers,

- Markus

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch