[ previous ] [ next ] [ threads ]
 From:  Frank Zavelberg <fz at tianet135 dot ath dot cx>
 To:  "Ed Chatlos" <edchat at bellsouth dot net>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] FTP server behind M0n0wall
 Date:  Mon, 3 Oct 2005 03:04:25 +0200

> The  problem  is  I  open the port for FTP, 21, in NAT and have m0n0
> create the firewall rule for it. But when I try to connect to my FTP
> server  from  another  location it connects but I get no list of the
> available folder and files.

FTP is so to speak the "worst case" for any router. :)

It  operates with two connections, one control connection (to port 21)
via  which  commands  are  sent,  and  for each file transfer one data
connection, usually to dynamically allocated ports. The port number to
connect to is negotiated in the control connection.

And there lies the problem - to be able to open an FTP data connection
thru  a  router,  that router must be aware of the FTP protocol and do
the  necessary adjustments to commands in the control connection. This
is usually called a "protocol inspector".

I  haven't  tested  this  yet  in  m0n0, but in fli4l there's a kernel
module that does that. m0n0 probably has something similar. In fli4l I
can  tell  the router on which ports it should monitor connections for
FTP  commands,  adjust them accordingly and auto-create temporary port
forwardings and firewall rules (internally) for data connections.

If  there's no FTP protocol inspector in m0n0, or you cannot set which
ports  to  use, there are several ways to circumvent the problems with
FTP, depending on what features your FTP server and client offers.

- You could use ACTIVE MODE for data connections, then the data
  connections are established from server to client, so no port
  forwarding or command rewriting is necessary on the server. But this
  only works if the client is not behind a router, or behind one that
  CAN do protocol inspection.

- If PASSIVE MODE is necessary, use a specific port range for passive
  mode data connections, and forward them all explicitly from m0n0 to
  the FTP server. This solves one half of the problem. The other half
  - FTP tells the client the IP address of the server when negotiating
  ports - can be solved if your FTP server offers something like using
  a specific IP address in passive mode. But this only works if you
  have a static IP address, or some dyndns hostname which you can use