[ previous ] [ next ] [ threads ]
 
 From:  edward mzj <edward dot mzj at gmail dot com>
 To:  Daniel Foster <dan at melbourne dot co dot uk>
 Cc:  Andrej Fercic <andrej at pcklinika dot si>, Markus Fischer <markus at fischer dot name>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Problem with active ftp
 Date:  Thu, 9 Jun 2005 23:41:27 +0800
is ur ftp svr connected to an opt interface? if so, rules must be
added, just like u
said, to allow ftp data traffic getting throough. however, if it's
running on lan side,
there is no need to add such rules, 'cause any traffic orignated from
lan side is
allow by default, unless u deleted the default allow all rule on lan interface

On 6/9/05, Daniel Foster <dan at melbourne dot co dot uk> wrote:
> Im not sure, I've never had ftp working without involving port 20.  I found this document useful
trying to explain it:
> 
> http://slacksite.com/other/ftp.html
> 
> Dan
> 
> | -----Original Message-----
> | From: Andrej Fercic [mailto:andrej at pcklinika dot si]
> | Sent: 09 June 2005 14:44
> | To: Daniel Foster; 'Markus Fischer'; m0n0wall at lists dot m0n0 dot ch
> | Subject: RE: [m0n0wall] Problem with active ftp
> |
> | OK,
> |
> | But why works in first CASE??? It is only FTP allowed
> | (without extra port 20)?!
> |
> | Andrej
> |
> | -----Original Message-----
> | From: Daniel Foster [mailto:dan at melbourne dot co dot uk]
> | Sent: Thursday, June 09, 2005 11:48 AM
> | To: Andrej Fercic; Markus Fischer; m0n0wall at lists dot m0n0 dot ch
> | Subject: RE: [m0n0wall] Problem with active ftp
> |
> | Andrej,
> |
> | That'll be because you also need port 20 as well as port 21,
> | that's the ftp data port.  Usually that's the culprit if you
> | can't get a file list.
> |
> | Dan
> |
> |  | -----Original Message-----
> |  | From: Andrej Fercic [mailto:andrej at pcklinika dot si]  | Sent:
> | 09 June 2005
> | 10:42  | To: 'Markus Fischer'; m0n0wall at lists dot m0n0 dot ch  | Subject: RE:
> | [m0n0wall] Problem with active ftp  |  | Yeap, I have a
> | similar problem.
> |  |
> |  | ISP <> m0n0 <> | FTPserver1
> |  |            | FTPserver2
> |  |            | FTPserver3
> |  |
> |  | Connection to my ISP is made by using PPPoE which returns
> | an  | IP (DHCP) and it is A.B.C.193. I have olsa 5 more Ips
> | which  | are all used with ServerNAT option + ProxyARP. So
> | If I set a  | NAT rule to forward port 21 from WAN to LAN on
> | default IP to  | one of my local server, FTP work. Bu I want
> | to enable FTP on  | all my servers. So, If I do that and
> | enable a NAT rule for  | port 21 on all other Ips, I can
> | reach my FTP server from WAN  | side, I can LOGIN, but I
> | NEVER get a file list. At this  | point is process stoped!
> |  |
> |  | Any Idea, what is wrong? Setup or it is a bug :(  |  |
> | Cheers,  |  | Andrej  |  | -----Original Message-----  |
> | From: Markus Fischer [mailto:markus at fischer dot name]  | Sent:
> | Thursday, June 09, 2005 10:42 AM  |
> | To: m0n0wall at lists dot m0n0 dot ch  | Subject: [m0n0wall] Problem
> | with active ftp  |
> | | Hi,  |  | I'm expiriencing a wierd situation with m0n0wall
> | and active
> | | |
> | FTP connection to one of our partner hosts.
> |  |
> |  | I'm opening the ftp connections are for some time
> | (browsing  | to the rather big directory structure remotely)
> | works. But  | often at one point, wenn the internal PORT
> | command is issued  | the ftp client seems to hang and later
> | stops because of a timeout.
> |  |
> |  | Whenever this timeout happens, I find multiple entries in
> |  | the firewall
> | log:
> |  |
> |  | block | WAN | remote-ip 21 | my-public-gatewat-ip 4000 |
> | TCP  |  | The port of the remote-ip is always 21, the port
> | on the  | public ip of the gateway varies but is usually in
> | the range  | 2000 to 4000 or so.
> |  |
> |  | I have not set up any rule to block these. I even added a
> |  | rule for testing to accept all packets from everything to
> |  | everything, and still I got those reported as blocked in
> | the  | firewall log.
> |  |
> |  | I've tested multiple ftp clients, all exhibit the same  |
> | problem. The administrator of the remote company said he did
> |  | many hours of debugging at its best and could only come
> | to  | the conclustion that he suspects a problem in the
> | ftp-nat  | module of my firewall (m0n0wall). He says his
> | firewall does  | state matching he can see that many tcp
> | connections are not
> | | correctly initiated from our firewall; packets are dropped.
> |  |
> |  | I'm using version 1.11, generic-pc.
> |  |
> |  | thanks for any pointers,
> |  |
> |  | - Markus
> |  |
> |  |
> | ---------------------------------------------------------------------
> |  | To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> |  | For additional commands, e-mail:
> | m0n0wall dash help at lists dot m0n0 dot ch  |  |  |  |
> | ---------------------------------------------------------------------
> |  | To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> |  | For additional commands, e-mail:
> | m0n0wall dash help at lists dot m0n0 dot ch  |  |  | --
> | | No virus found in this incoming message.
> |  | Checked by AVG Anti-Virus.
> |  | Version: 7.0.323 / Virus Database: 267.6.6 - Release
> | Date: 08/06/2005  |
> | |
> |
> | --
> | No virus found in this outgoing message.
> | Checked by AVG Anti-Virus.
> | Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 08/06/2005
> |
> |
> |
> | --
> | No virus found in this incoming message.
> | Checked by AVG Anti-Virus.
> | Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 08/06/2005
> |
> |
> 
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 08/06/2005
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>