[ previous ] [ next ] [ threads ]
 
 From:  Joseph Lo <josephlo71 at yahoo dot com>
 To:  Anders Hagman <anders dot hagman at netplex dot se>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] FTP server behind monowall
 Date:  Sun, 10 Sep 2006 05:57:25 -0700 (PDT)
Dear Anders,

Thank you very much for your analysis.

"You have stated in your firewall setup to use ports 55000 - 61000. 
Configure your server to use these ports for passive ftp-data connections."

Q: How would I configure these ports for ftp-data?

"Your NAT line 1 about port 20 isn't used. Your server uses port 20 for 
outgoing active ftp-data connections."

Q: I have also removed the line about port 20. Is this ok?

I am still not quite sure what would be the correct ftp server configuration for people with active
and passive connection. Would you mind amending my firewall rules and paste the correct syntax here?

Many thanks
Joseph


Anders Hagman <anders dot hagman at netplex dot se> wrote: Hi

I have tested your ftp server and I have found that I can connect but I 
can not list the content.

tcpdump shows the following:

No.Time Source Destination Protocol Info
40 16.850765 10.1.10.2 60.51.124.168 FTP Request: EPSV
41 17.408606 60.51.124.168 10.1.10.2 FTP Response: 229 Entering Extended 
Passive Mode (|||2208|)
42 17.409083 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 
MSS=1460 WS=1
44 20.408992 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 
MSS=1460 WS=1
45 23.609060 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 
MSS=1460 WS=1
46 26.809127 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 
MSS=1460
47 30.009190 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 
MSS=1460
48 33.209262 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 
MSS=1460
49 39.409383 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 
MSS=1460
50 51.609633 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 
MSS=1460
53 75.810130 10.1.10.2 60.51.124.168 TCP 55675 > 2208 [SYN] Seq=0 Len=0 
MSS=1460
54 92.410707 10.1.10.2 60.51.124.168 FTP Request: EPRT |1|10.1.10.2|61003|
55 92.959227 60.51.124.168 10.1.10.2 FTP Response: 200 Port command 
successful
56 92.959520 10.1.10.2 60.51.124.168 FTP Request: LIST
57 93.650345 60.51.124.168 10.1.10.2 FTP Response: 150 Opening data 
channel for directory list.
58 93.750476 10.1.10.2 60.51.124.168 TCP 53227 > ftp [ACK] Seq=80 
Ack=476 Win=66240
61 103.912716 60.51.124.168 10.1.10.2 FTP Response: 425 Can't open data 
connection.


Packet 40:
My computer sends a passive request
Packet 41
Your server answers with "connect to 2208"
Packet 42-53
My compurt tries to connect to your server on port 2208
Packet 54
My computer switches to active mode and open up port 61003
Packet 57
Your server tries to open a connection to my computer
Pcket 61
Your server responds with "Can't open data connection"

First: When my computer requests passive mode your server responds with 
"connect to port 2208".
According to your firewall setup you don't pass port 2208.

Second: My firewall does not pass inbound ftp-data connections. Therefor 
your server will fail when trying to connect to my computer with active ftp.

Conclution:
You have stated in your firewall setup to use ports 55000 - 61000. 
Configure your server to use these ports for passive ftp-data connections.
Your NAT line 1 about port 20 isn't used. Your server uses port 20 for 
outgoing active ftp-data connections.
Regarding my firewall, I will not allow incomming ftp-data connections 
to my network. You must get your passive ftp to work because you can not 
expect others
to change their configurations.

I hop this can help
BR
/Anders


Joseph Lo skrev

>>Here is my setup.
>>
>>internet ----> monowall ----> switch ----> ftp server
>>
>>monowall is 192.168.1.1
>>ftp server is 192.168.1.2. I am using FileZilla on windows XP as some have suggested.
>>
>>Here are my monowall config
>>
>>Firewall NAT Inbound
>>lf            proto     Ext. port range        NAT IP        Int. port range        Description
>>WAN    TCP            20                            192.168.1.2            20                ftp
server port 20
>>WAN    TCP            21                           192.168.1.2            21                ftp
server port 21
>>WAN    TCP        55000-61000            192.168.1.2    55000-61000    ftp server
>>
>>
>>Firewall NAT outbound
>>Interface        source                Destination        Target            Description
>>WAN        192.168.1.0/24            *                        192.168.1.2        ftp server
>>
>>
>>Firewall rules
>>Proto        Source            Port        Destination        Port                Destination
>>TCP            *                       *           192.168.1.2        21                    FTP
server 1
>>TCP            *                        *            192.168.1.2      55000-61000        FTP
server 2
>>
>>I have setup filezilla with passive mode settings
>>External server IP address for passive mode transfer -> use the following IP -> 192.168.1.2
>>
>>I have also checked the tick box
>>* Don't use external IP for local connections
>>* use custom port range: 55000 - 61000
>>
>>When I use ftp client to connect to 192.168.1.2 it work. When I use ftp client from external lan
to connect to my dynamic IP, it can't find the ftp server. by the way, I am using monowall's dyndns
server. Pinging my hostname (eg. hostname.homeunix.net) from the net work. 
>>
>>I have use Shield-up to check and it report that port 21 is open.
>>
>>I have tried many configuration and still can't get anything to work. 
>>
>>Please help
>>
>>Thank  you.
>>Joseph
>>
>>
>>     
>>---------------------------------
>>Get your own web address for just $1.99/1st yr. We'll help. Yahoo! Small Business.
>>   
>>---------------------------------

>>  
>>    
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>   
>---------------------------------

>  
>


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch



 		
---------------------------------