Daniel Foster wrote:
>I assume what you've described below only works in NAT mode? When I
>tried using "ftp" in the rulesets it didn't work, opening port 20 and 21
>manually (both out and in) did work.
(I am using 1.2b8 and have no experience with other versions)
This does only work with NAT and m0n0wall does NAT with ftp proxy per
default for connections from lan->wan.
The mapping is done with 0.0.0.0/32 which is replaced by the IP of the
interface that is used in the NAT rule. In this way ipfilter gets hold
of the acutal interface IP that can change because dynamic IPs are
To allow clients the use of active FTP from lan -> you would do this:
pass in quick proto tcp from 192.168.1.0/24 to any port = 21 keep state
map fxp1 192.168.1.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
The map rule is set before any other map rules, matches the allowed
ftp/21 packet from lan, catches the answer packets, examins the data
part where the ftp data ports are handled and with this information
creates dynamic filter rules that allow the data communication: voila.
If you do not want to rewrite IP addresses (maybe m0n0wall is not the
internet router and filters/routes internal traffic) you can use a map
rule like that:
map fxp1 192.168.1.0/24 -> 192.168.1.0/24 proxy port ftp ftp/tcp
This actually does no mapping of the address but creates the dynamic
filter rules and allows the packets with simple routing.
The whole mechanism only works for connections from client to server!
You cannot make a ftp server accessible with it. (Or at least should not)
For me the whole thing works very well with various ftp clients (ws_ftp,
totalcommander) and servers (IIS, proftpd, ...) at different providers.