[ previous ] [ next ] [ threads ]
 From:  Paul Taylor <PaulTaylor at winn dash dixie dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Using Registered IPs on LAN with FTP?
 Date:  Thu, 22 Sep 2005 08:08:33 -0400
Well, since no one else replied, I thought I would add additional info:

The reason the clients are being handed registered IPs is because they are
using a wide variety of VPN clients to communicate back to their corporate
networks.  I've been told that at least one of these clients embeds the
host's IP Address inside some connection related packets.  If the server
sees that the IP Address of the packets doesn't match the embedded address,
it considers that a hack attempt and drops the connection...  (I know, seems
dumb since anyone with a hardware firewall at home would probably fall into
this category..  I would think this would at least be a setting that could
be changed on the server, but anyhow...)...

Standard NAT doesn't work out well for us because we have had instances
where two clients are attempting to connect to the same VPN server...
Apparently, the VPN server doesn't like having connections from two
different clients sourced from the same IP Address.  

One-to-One NAT wasn't something that we looked at, due to the first VPN
related issue, above.

At this point, we are simply allowing active FTP in from that one server's
IP Address and suggesting that anyone else who needs FTP perform those
operations with a client capable of passive FTP.  Nothing in my research
yesterday led me to believe that I could add ip nat statements to simply
perform NAT only when FTP communication is concerned, and use the normal IP
Address at all other times...  (If it can be done, it doesn't look like
anyone has posted examples on the net...)


-----Original Message-----
From: Paul Taylor 
Sent: Wednesday, September 21, 2005 1:41 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Using Registered IPs on LAN with FTP?



            I ran into an issue today that where a client PC could connect
to a remote FTP server, but could not upload a file.  In looking at the
logs, the FTP-data connection back to the client was sourced from port 20
and it was being blocked.  This is with "Advanced Outbound NAT" enabled and
no rules for this interface, as the users on this interface are using
registered IP addresses.  I added a rule to allow the FTP server to send
packets in the WAN interface sourced from port 20, but I don't like this
solution...  Either I must keep it wide open so that all users will be able
to FTP without issue, or I must keep a list of FTP servers that users need
access to...  Neither sounds good...


            I thought that perhaps I could add an advanced outbound NAT
statement to grab FTP traffic and perform NAT on it...  Unfortunately,
though, I do not seem to have that level of control.


            Any suggestions on how to best accomplish this in Monowall?  Can
it be done via command line access with ipnat?