[ previous ] [ next ] [ threads ]
 From:  Paul Taylor <PaulTaylor at winn dash dixie dot com>
 To:  Brian McEntire <brian dot mcentire at gmail dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] ftp-data and FTP timeout question
 Date:  Tue, 16 May 2006 11:23:53 -0400
FTP works fine if you are using NAT on the inside, but if you are using
registered IPs for machines behind the monowall, it does not work.


-----Original Message-----
From: Brian McEntire [mailto:brian dot mcentire at gmail dot com] 
Sent: Tuesday, May 16, 2006 11:19 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] ftp-data and FTP timeout question

Hi all -
  Implementing another Monowall. It is up and working well with the
exception of FTP.

  We need to FTP out to 10-20 sites. Some allow passive FTP and some do not.
I put a rule in place to allow outbound FTP but we still had trouble with
one of the sites that requires an active FTP session. Here is the log of a
failed process trying to push data out to the remote site via FTP (sanitized
using $REMOTE, $LOCAL, $FILE, and $USER):

Connected to $REMOTE
220 $REMOTE FTP server (Version wu) ready.
331 Password required for $USER.
230 User $USER logged in.  Access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
200 UMASK set to 011 (was 022)
Passive mode off.
local: $FILE remote: $FILE
200 PORT command successful.
425 Can't build data connection: Connection timed out.

In the monowall logs, it appears $REMOTE is trying to build a connection
back in, remote/source port is 20 (ftp-data) and destination/local port is a
random high numbered port to a local inside network host.

I was able to allow FTP to this site by adding the following rule
  Src: any, src port:20, dest: inside network, dest port: 2000-65000

But that is a large hole to make. I could make 20 or so specific rules
rather than src: any, but that will cause more firewall updates as remote
sites make changes on their networks.

Is there a way to tell Monowall that if the local host makes an outbound FTP
connection, to allow an incoming connection from port 20 from that remote
host? I believe there are ways to do that with other filters, just not sure
what the mechanism would be with Monowall.