[ previous ] [ next ] [ threads ]
 From:  "Brian McEntire" <brian dot mcentire at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] ftp-data and FTP timeout question
 Date:  Tue, 16 May 2006 12:58:31 -0400
I am using filtered bridging (not NAT.)

I have an IP address assigned on the WAN interface, and a hub with all the
inside hosts connected to the OPT1 interface.

Would onetoone NAT work in my case? Is it possible to 1-1 NAT when doing
filtered bridging?

At this point, everything works except for active FTP. That works with the
rule I mentioned in my original post but it's a large hole I'd like to close
if possible.

Any thoughts?

On 5/16/06, Paul Taylor <PaulTaylor at winn dash dixie dot com> wrote:
> FTP works fine if you are using NAT on the inside, but if you are using
> registered IPs for machines behind the monowall, it does not work.
> Paul
> -----Original Message-----
> From: Brian McEntire [mailto:brian dot mcentire at gmail dot com]
> Sent: Tuesday, May 16, 2006 11:19 AM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] ftp-data and FTP timeout question
> Hi all -
>   Implementing another Monowall. It is up and working well with the
> exception of FTP.
>   We need to FTP out to 10-20 sites. Some allow passive FTP and some do
> not.
> I put a rule in place to allow outbound FTP but we still had trouble with
> one of the sites that requires an active FTP session. Here is the log of a
> failed process trying to push data out to the remote site via FTP
> (sanitized
> using $REMOTE, $LOCAL, $FILE, and $USER):
> Connected to $REMOTE
> 220 $REMOTE FTP server (Version wu) ready.
> 331 Password required for $USER.
> 230 User $USER logged in.  Access restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> 200 UMASK set to 011 (was 022)
> Passive mode off.
> local: $FILE remote: $FILE
> 200 PORT command successful.
> 425 Can't build data connection: Connection timed out.
> In the monowall logs, it appears $REMOTE is trying to build a connection
> back in, remote/source port is 20 (ftp-data) and destination/local port is
> a
> random high numbered port to a local inside network host.
> I was able to allow FTP to this site by adding the following rule
>   Src: any, src port:20, dest: inside network, dest port: 2000-65000
> But that is a large hole to make. I could make 20 or so specific rules
> rather than src: any, but that will cause more firewall updates as remote
> sites make changes on their networks.
> Is there a way to tell Monowall that if the local host makes an outbound
> connection, to allow an incoming connection from port 20 from that remote
> host? I believe there are ways to do that with other filters, just not
> sure
> what the mechanism would be with Monowall.
> Thanks!