[ previous ] [ next ] [ threads ]
 
 From:  Vittore Zen <drzen at gamebox dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] question about passive FTP
 Date:  Wed, 07 Sep 2005 12:13:38 +0200
In data 02/09/2005 23.47 Peter ha scritto:

>Since I locked down my DMZ I've noticed some clients that are using passive FTP are getting blocked
outbound connections. Non passive is working fine. 
>
>Any idea how I can fix this and why its happening?
>
>Regards,
>Peter
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>  
>
If you ftp server don't change ip address (eg. IIS), this may be a problem.
For example:
Ip address of FTP server 192.168.1.1/24
So you have a DMZ with this network, and a 1:1 NAT to the public ip (eg
80.80.80.80)

When a client connect to 80.80.80.80 with ftp, in passive mode, put PASV
command and you ftp server give an PORT 192.168.1.1,100,102
Note that the ip is your private ip address, so the client try to
connect to ftp server on port 100,102 but with this local ip.
Resolution: modify the config of your ftp server (MS IIS not give this
config, use another ftp server).

Bye
v.