[ previous ] [ next ] [ threads ]
 From:  "Bjoern Euler (Lists at edain)" <lists at edain dot de>
 To:  Daniel Foster <dan at melbourne dot co dot uk>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Problem with active ftp
 Date:  Thu, 09 Jun 2005 19:39:18 +0200
Daniel Foster wrote:

>I assume what you've described below only works in NAT mode?   When I
>tried using "ftp" in the rulesets it didn't work, opening port 20 and 21
>manually (both out and in) did work.
(I am using 1.2b8 and have no experience with other versions)
This does only work with NAT and m0n0wall does NAT with ftp proxy per 
default for connections from lan->wan.
The mapping is done with which is replaced by the IP of the 
interface that is used in the NAT rule. In this way ipfilter gets hold 
of the acutal interface IP that can change because dynamic IPs are 
common use.

To allow clients the use of active FTP from lan -> you would do this:
Filter rule:
pass in quick proto tcp from to any port = 21 keep state 
group 100

Automatic rule:
map fxp1 -> proxy port ftp ftp/tcp

The map rule is set before any other map rules, matches the allowed 
ftp/21 packet from lan, catches the answer packets, examins the data 
part where the ftp data ports are handled and with this information 
creates dynamic filter rules that allow the data communication: voila.

If you do not want to rewrite IP addresses (maybe m0n0wall is not the 
internet router and filters/routes internal traffic) you can use a map 
rule like that:
map fxp1 -> proxy port ftp ftp/tcp
This actually does no mapping of the address but creates the dynamic 
filter rules and allows the packets with simple routing.

The whole mechanism only works for connections from client to server! 
You cannot make a ftp server accessible with it. (Or at least should not)

For me the whole thing works very well with various ftp clients (ws_ftp, 
totalcommander) and servers (IIS, proftpd, ...) at different providers.

-Bjoern Euler