RE: [m0n0wall] Problem with active ftp

From:	"Daniel Foster" <dan at melbourne dot co dot uk>
To:	"Bjoern Euler \(lists at edain\)" <lists at edain dot de>, "Andrej Fercic" <andrej at pcklinika dot si>
Cc:	<m0n0wall at lists dot m0n0 dot ch>
Subject:	RE: [m0n0wall] Problem with active ftp
Date:	Thu, 9 Jun 2005 16:24:16 +0100

I assume what you've described below only works in NAT mode?   When I
tried using "ftp" in the rulesets it didn't work, opening port 20 and 21
manually (both out and in) did work.

Dan

|  -----Original Message-----
|  From: Bjoern Euler (lists at edain) [mailto:lists at edain dot de] 
|  Sent: 09 June 2005 15:29
|  To: Andrej Fercic
|  Cc: m0n0wall at lists dot m0n0 dot ch
|  Subject: Re: [m0n0wall] Problem with active ftp
|  
|  Andrej Fercic schrieb:
|  > OK,
|  > 
|  > But why works in first CASE??? It is only FTP allowed 
|  (without extra 
|  > port 20)?!
|  > 
|  > Andrej
|  
|  m0n0wall uses the proxy ftp feature of ipfilter. Per default 
|  a nat entry is generated that looks like that:
|  
|  map wan_interface local_network -> 0.0.0.0/32 proxy port ftp ftp/tcp
|  
|  This dynamically generates filter rules for the data channel of ftp.
|  
|  See
|  http://www.obfuscation.org/ipf/ipf-howto.txt
|  section:
|  4.8.  Magic Hidden Within NAT; Application Proxies
|  
|  Regards
|  
|  -Bjoern Euler
|  
|  ---------------------------------------------------------------------
|  To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
|  For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
|  
|  
|  --
|  No virus found in this incoming message.
|  Checked by AVG Anti-Virus.
|  Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 08/06/2005
|   
|