> The problem is I open the port for FTP, 21, in NAT and have m0n0
> create the firewall rule for it. But when I try to connect to my FTP
> server from another location it connects but I get no list of the
> available folder and files.
FTP is so to speak the "worst case" for any router. :)
It operates with two connections, one control connection (to port 21)
via which commands are sent, and for each file transfer one data
connection, usually to dynamically allocated ports. The port number to
connect to is negotiated in the control connection.
And there lies the problem - to be able to open an FTP data connection
thru a router, that router must be aware of the FTP protocol and do
the necessary adjustments to commands in the control connection. This
is usually called a "protocol inspector".
I haven't tested this yet in m0n0, but in fli4l there's a kernel
module that does that. m0n0 probably has something similar. In fli4l I
can tell the router on which ports it should monitor connections for
FTP commands, adjust them accordingly and auto-create temporary port
forwardings and firewall rules (internally) for data connections.
If there's no FTP protocol inspector in m0n0, or you cannot set which
ports to use, there are several ways to circumvent the problems with
FTP, depending on what features your FTP server and client offers.
- You could use ACTIVE MODE for data connections, then the data
connections are established from server to client, so no port
forwarding or command rewriting is necessary on the server. But this
only works if the client is not behind a router, or behind one that
CAN do protocol inspection.
- If PASSIVE MODE is necessary, use a specific port range for passive
mode data connections, and forward them all explicitly from m0n0 to
the FTP server. This solves one half of the problem. The other half
- FTP tells the client the IP address of the server when negotiating
ports - can be solved if your FTP server offers something like using
a specific IP address in passive mode. But this only works if you
have a static IP address, or some dyndns hostname which you can use