|
||||||||||
Dear Anders, Thank you very much for your analysis. "You have stated in your firewall setup to use ports 55000 - 61000. Configure your server to use these ports for passive ftp-data connections." Q: How would I configure these ports for ftp-data? "Your NAT line 1 about port 20 isn't used. Your server uses port 20 for outgoing active ftp-data connections." Q: I have also removed the line about port 20. Is this ok? I am still not quite sure what would be the correct ftp server configuration for people with active and passive connection. Would you mind amending my firewall rules and paste the correct syntax here? Many thanks Joseph Anders Hagman <anders dot hagman at netplex dot se> wrote: Hi I have tested your ftp server and I have found that I can connect but I can not list the content. tcpdump shows the following: No.Time Source Destination Protocol Info 40 16.850765 10.1.10.2 60.51.124.168 FTP Request: EPSV 41 17.408606 60.51.124.168 10.1.10.2 FTP Response: 229 Entering Extended Passive Mode (|||2208|) 42 17.409083 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 MSS=1460 WS=1 44 20.408992 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 MSS=1460 WS=1 45 23.609060 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 MSS=1460 WS=1 46 26.809127 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 MSS=1460 47 30.009190 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 MSS=1460 48 33.209262 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 MSS=1460 49 39.409383 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 MSS=1460 50 51.609633 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 MSS=1460 53 75.810130 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 MSS=1460 54 92.410707 10.1.10.2 60.51.124.168 FTP Request: EPRT |1|10.1.10.2|61003| 55 92.959227 60.51.124.168 10.1.10.2 FTP Response: 200 Port command successful 56 92.959520 10.1.10.2 60.51.124.168 FTP Request: LIST 57 93.650345 60.51.124.168 10.1.10.2 FTP Response: 150 Opening data channel for directory list. 58 93.750476 10.1.10.2 60.51.124.168 TCP 53227 > ftp [ACK] Seq=80 Ack=476 Win=66240 61 103.912716 60.51.124.168 10.1.10.2 FTP Response: 425 Can't open data connection. Packet 40: My computer sends a passive request Packet 41 Your server answers with "connect to 2208" Packet 42-53 My compurt tries to connect to your server on port 2208 Packet 54 My computer switches to active mode and open up port 61003 Packet 57 Your server tries to open a connection to my computer Pcket 61 Your server responds with "Can't open data connection" First: When my computer requests passive mode your server responds with "connect to port 2208". According to your firewall setup you don't pass port 2208. Second: My firewall does not pass inbound ftp-data connections. Therefor your server will fail when trying to connect to my computer with active ftp. Conclution: You have stated in your firewall setup to use ports 55000 - 61000. Configure your server to use these ports for passive ftp-data connections. Your NAT line 1 about port 20 isn't used. Your server uses port 20 for outgoing active ftp-data connections. Regarding my firewall, I will not allow incomming ftp-data connections to my network. You must get your passive ftp to work because you can not expect others to change their configurations. I hop this can help BR /Anders Joseph Lo skrev >>Here is my setup. >> >>internet ----> monowall ----> switch ----> ftp server >> >>monowall is 192.168.1.1 >>ftp server is 192.168.1.2. I am using FileZilla on windows XP as some have suggested. >> >>Here are my monowall config >> >>Firewall NAT Inbound >>lf proto Ext. port range NAT IP Int. port range Description >>WAN TCP 20 192.168.1.2 20 ftp server port 20 >>WAN TCP 21 192.168.1.2 21 ftp server port 21 >>WAN TCP 55000-61000 192.168.1.2 55000-61000 ftp server >> >> >>Firewall NAT outbound >>Interface source Destination Target Description >>WAN 192.168.1.0/24 * 192.168.1.2 ftp server >> >> >>Firewall rules >>Proto Source Port Destination Port Destination >>TCP * * 192.168.1.2 21 FTP server 1 >>TCP * * 192.168.1.2 55000-61000 FTP server 2 >> >>I have setup filezilla with passive mode settings >>External server IP address for passive mode transfer -> use the following IP -> 192.168.1.2 >> >>I have also checked the tick box >>* Don't use external IP for local connections >>* use custom port range: 55000 - 61000 >> >>When I use ftp client to connect to 192.168.1.2 it work. When I use ftp client from external lan to connect to my dynamic IP, it can't find the ftp server. by the way, I am using monowall's dyndns server. Pinging my hostname (eg. hostname.homeunix.net) from the net work. >> >>I have use Shield-up to check and it report that port 21 is open. >> >>I have tried many configuration and still can't get anything to work. >> >>Please help >> >>Thank you. >>Joseph >> >> >> >>--------------------------------- >>Get your own web address for just $1.99/1st yr. We'll help. Yahoo! Small Business. >> >>--------------------------------- >>How low will we go? Check out Yahoo! Messenger’s low PC-to-Phone call rates. >> >> >> > >--------------------------------------------------------------------- >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > > > >--------------------------------- >How low will we go? Check out Yahoo! Messenger’s low PC-to-Phone call rates. > > --------------------------------------------------------------------- To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch --------------------------------- Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min. |