[ previous ] [ next ] [ threads ]
 
 From:  Anders Hagman <anders dot hagman at netplex dot se>
 To:  Joseph Lo <josephlo71 at yahoo dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] FTP server behind monowall
 Date:  Sun, 10 Sep 2006 10:58:01 +0200 
Hi

I have tested your ftp server and I have found that I can connect but I 
can not list the content.

tcpdump shows the following:

No.Time Source Destination Protocol Info
40 16.850765 10.1.10.2 60.51.124.168 FTP Request: EPSV
41 17.408606 60.51.124.168 10.1.10.2 FTP Response: 229 Entering Extended 
Passive Mode (|||2208|)
42 17.409083 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 
MSS=1460 WS=1
44 20.408992 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 
MSS=1460 WS=1
45 23.609060 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 
MSS=1460 WS=1
46 26.809127 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 
MSS=1460
47 30.009190 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 
MSS=1460
48 33.209262 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 
MSS=1460
49 39.409383 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 
MSS=1460
50 51.609633 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 
MSS=1460
53 75.810130 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 
MSS=1460
54 92.410707 10.1.10.2 60.51.124.168 FTP Request: EPRT |1|10.1.10.2|61003|
55 92.959227 60.51.124.168 10.1.10.2 FTP Response: 200 Port command 
successful
56 92.959520 10.1.10.2 60.51.124.168 FTP Request: LIST
57 93.650345 60.51.124.168 10.1.10.2 FTP Response: 150 Opening data 
channel for directory list.
58 93.750476 10.1.10.2 60.51.124.168 TCP 53227 > ftp [ACK] Seq=80 
Ack=476 Win=66240
61 103.912716 60.51.124.168 10.1.10.2 FTP Response: 425 Can't open data 
connection.


Packet 40:
My computer sends a passive request
Packet 41
Your server answers with "connect to 2208"
Packet 42-53
My compurt tries to connect to your server on port 2208
Packet 54
My computer switches to active mode and open up port 61003
Packet 57
Your server tries to open a connection to my computer
Pcket 61
Your server responds with "Can't open data connection"

First: When my computer requests passive mode your server responds with 
"connect to port 2208".
According to your firewall setup you don't pass port 2208.

Second: My firewall does not pass inbound ftp-data connections. Therefor 
your server will fail when trying to connect to my computer with active ftp.

Conclution:
You have stated in your firewall setup to use ports 55000 - 61000. 
Configure your server to use these ports for passive ftp-data connections.
Your NAT line 1 about port 20 isn't used. Your server uses port 20 for 
outgoing active ftp-data connections.
Regarding my firewall, I will not allow incomming ftp-data connections 
to my network. You must get your passive ftp to work because you can not 
expect others
to change their configurations.

I hop this can help
BR
/Anders


Joseph Lo skrev

>>Here is my setup.
>>
>>internet ----> monowall ----> switch ----> ftp server
>>
>>monowall is 192.168.1.1
>>ftp server is 192.168.1.2. I am using FileZilla on windows XP as some have suggested.
>>
>>Here are my monowall config
>>
>>Firewall NAT Inbound
>>lf            proto     Ext. port range        NAT IP        Int. port range        Description
>>WAN    TCP            20                            192.168.1.2            20                ftp
server port 20
>>WAN    TCP            21                           192.168.1.2            21                ftp
server port 21
>>WAN    TCP        55000-61000            192.168.1.2    55000-61000    ftp server
>>
>>
>>Firewall NAT outbound
>>Interface        source                Destination        Target            Description
>>WAN        192.168.1.0/24            *                        192.168.1.2        ftp server
>>
>>
>>Firewall rules
>>Proto        Source            Port        Destination        Port                Destination
>>TCP            *                       *           192.168.1.2        21                    FTP
server 1
>>TCP            *                        *            192.168.1.2      55000-61000        FTP
server 2
>>
>>I have setup filezilla with passive mode settings
>>External server IP address for passive mode transfer -> use the following IP -> 192.168.1.2
>>
>>I have also checked the tick box
>>* Don't use external IP for local connections
>>* use custom port range: 55000 - 61000
>>
>>When I use ftp client to connect to 192.168.1.2 it work. When I use ftp client from external lan
to connect to my dynamic IP, it can't find the ftp server. by the way, I am using monowall's dyndns
server. Pinging my hostname (eg. hostname.homeunix.net) from the net work. 
>>
>>I have use Shield-up to check and it report that port 21 is open.
>>
>>I have tried many configuration and still can't get anything to work. 
>>
>>Please help
>>
>>Thank  you.
>>Joseph
>>
>>
>>     
>>---------------------------------
>>Get your own web address for just $1.99/1st yr. We'll help. Yahoo! Small Business.
>>   
>>---------------------------------
>>How low will we go? Check out Yahoo! Messenger’s low  PC-to-Phone call rates.
>>  
>>    
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
> 		
>---------------------------------
>How low will we go? Check out Yahoo! Messenger’s low  PC-to-Phone call rates.
>  
>