[ previous ] [ next ] [ threads ]
 From:  "Brian McEntire" <brian dot mcentire at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Suggestions for FTP through Monowall
 Date:  Wed, 17 May 2006 12:43:34 -0400
Deploy Monowall in front of some public web and ftp servers. There are about
12 servers on the subnet to be protected.

May be able to work with the upstream router maintainer, but it would be
easier if I can use one of the IP addresses in our existing allocated subnet
as the WAN port IP address.

I tried doing this with WAN <-> OPT1 bridging + filtering. It is working
great except for FTP. Outbound FTP is now generally working though I did
needed to add rules for sites that only allow active FTP. For those, had to
grant specific remote hosts access to large port ranges coming back through
the monowall to accomodate.

Now we're seeing remote users having trouble accessing anonymous FTP on
hosts behind the monowall. Both active and passive seem problematic but I
need to recheck the rules to make sure its not administrator error.

Previous replies to the list said FTP won't work without NAT. Any
suggestions for the best NAT to use for this circumstance?
  - About 12 hosts behind the Monowall; some but not all run public FTP
servers or web servers
  - May be able to work with the upstream router owner but that will slow
down implementation

When I've done this before with a PIX, I ended up using a private address IP
on the outside interface and the upstream router put in a static route to
our networks going through that private subnet. Then did 1:1 NAT across the
PIX from outside to inside interface to avoid having to renumber/reconfigure
all the inside hosts.

Is that the best solution for this case with Monowall or am I missing
something easier? (I hope!)

Thanks for any replies!