FTP works fine if you are using NAT on the inside, but if you are using
registered IPs for machines behind the monowall, it does not work.
From: Brian McEntire [mailto:brian dot mcentire at gmail dot com]
Sent: Tuesday, May 16, 2006 11:19 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] ftp-data and FTP timeout question
Hi all -
Implementing another Monowall. It is up and working well with the
exception of FTP.
We need to FTP out to 10-20 sites. Some allow passive FTP and some do not.
I put a rule in place to allow outbound FTP but we still had trouble with
one of the sites that requires an active FTP session. Here is the log of a
failed process trying to push data out to the remote site via FTP (sanitized
using $REMOTE, $LOCAL, $FILE, and $USER):
Connected to $REMOTE
220 $REMOTE FTP server (Version wu) ready.
331 Password required for $USER.
230 User $USER logged in. Access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
200 UMASK set to 011 (was 022)
Passive mode off.
local: $FILE remote: $FILE
200 PORT command successful.
425 Can't build data connection: Connection timed out.
In the monowall logs, it appears $REMOTE is trying to build a connection
back in, remote/source port is 20 (ftp-data) and destination/local port is a
random high numbered port to a local inside network host.
I was able to allow FTP to this site by adding the following rule
Src: any, src port:20, dest: inside network, dest port: 2000-65000
But that is a large hole to make. I could make 20 or so specific rules
rather than src: any, but that will cause more firewall updates as remote
sites make changes on their networks.
Is there a way to tell Monowall that if the local host makes an outbound FTP
connection, to allow an incoming connection from port 20 from that remote
host? I believe there are ways to do that with other filters, just not sure
what the mechanism would be with Monowall.