[ previous ] [ next ] [ threads ]
 From:  Simone Marzona <Marzona dash ml at gnuclub dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  passive/active FTP through monowall
 Date:  Wed, 20 Jul 2005 15:49:26 +0200
Hi all

How is it possibile to get an ftpserver (pure-ftpd) working on lan both 
in passive and active mode with a nat made by monowall firewall from a 
natted ftp client?


I searched the mailing list archives but I didn't find anything that 
solves my problems.

First of all my network config:

	opt: none

public addresses : -

I got some inbound nat on to for mail and http.

ftpserver: (on lan)

I tried the following solutions:

-server nat activated on
-inbound nat on the ip as external ip and as 
nat ip
-allowed traffic from any port to port 21 on
-pure-ftpd with -N flag (force clients in active mode)
-configured pure-ftpd with PassivePortRange set to 1024 - 5000
  ForcePassiveIP set to

 From everywhere passive mode: ok, active mode ko


I made a 1 to 1 nat <-> and configured 
pure-ftpd with PassivePortRange set to 1024 - 5000
  ForcePassiveIP set to

(the rules applied by inbound nats defined for are applied 
also to the traffic directed to, so in this way the 1 to 1 
nat doesn't expose me to any addictional risk).

All works ok from everywhere in active and passive mode.

This last configuration is very dirty and obviously I don't like to 
waste an ip address only for ftp (and some other nat-unfriendly protos).

A workaround is to use the -N flag in pure-ftpd, to force clients to go 
in active mode, but if I want to serve in both modes what could I do?

May outbound nat help me in some way?

Is there anybody who would tell me some hint?

(Ip addresses shown here are obviously faked.)

Thanks in advance