I am using filtered bridging (not NAT.)
I have an IP address assigned on the WAN interface, and a hub with all the
inside hosts connected to the OPT1 interface.
Would onetoone NAT work in my case? Is it possible to 1-1 NAT when doing
At this point, everything works except for active FTP. That works with the
rule I mentioned in my original post but it's a large hole I'd like to close
On 5/16/06, Paul Taylor <PaulTaylor at winn dash dixie dot com> wrote:
> FTP works fine if you are using NAT on the inside, but if you are using
> registered IPs for machines behind the monowall, it does not work.
> -----Original Message-----
> From: Brian McEntire [mailto:brian dot mcentire at gmail dot com]
> Sent: Tuesday, May 16, 2006 11:19 AM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] ftp-data and FTP timeout question
> Hi all -
> Implementing another Monowall. It is up and working well with the
> exception of FTP.
> We need to FTP out to 10-20 sites. Some allow passive FTP and some do
> I put a rule in place to allow outbound FTP but we still had trouble with
> one of the sites that requires an active FTP session. Here is the log of a
> failed process trying to push data out to the remote site via FTP
> using $REMOTE, $LOCAL, $FILE, and $USER):
> Connected to $REMOTE
> 220 $REMOTE FTP server (Version wu) ready.
> 331 Password required for $USER.
> 230 User $USER logged in. Access restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> 200 UMASK set to 011 (was 022)
> Passive mode off.
> local: $FILE remote: $FILE
> 200 PORT command successful.
> 425 Can't build data connection: Connection timed out.
> In the monowall logs, it appears $REMOTE is trying to build a connection
> back in, remote/source port is 20 (ftp-data) and destination/local port is
> random high numbered port to a local inside network host.
> I was able to allow FTP to this site by adding the following rule
> Src: any, src port:20, dest: inside network, dest port: 2000-65000
> But that is a large hole to make. I could make 20 or so specific rules
> rather than src: any, but that will cause more firewall updates as remote
> sites make changes on their networks.
> Is there a way to tell Monowall that if the local host makes an outbound
> connection, to allow an incoming connection from port 20 from that remote
> host? I believe there are ways to do that with other filters, just not
> what the mechanism would be with Monowall.