[ previous ] [ next ] [ threads ]
 
 From:  "Christopher M. Iarocci" <iarocci at eastendsc dot com>
 To:  Joseph Lo <josephlo71 at yahoo dot com>
 Cc:  Michael Brown <knightmb at knightmb dot dyndns dot org>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] FTP server behind monowall
 Date:  Sun, 10 Sep 2006 11:57:42 -0400
Joseph,

This server does not work as it should, and it is not because of your 
firewall, but because of your server config. Your server is clearly 
passing it's own IP back to the client. It should not be doing that. 
Your firewall does not do that, the server does. I'm not familiar with 
the config of your particular server so you will have to look elsewhere 
for that, or maybe someone else here knows how to stop the behavior of 
the server returning it's own IP to the client. It also appears your 
port config may not be right on your server because it tried to connect 
to port 3849, which is not one you stated you had configured in the 
firewall. The first time I attempted it returned an appropriate port, 
but maybe that was coincidence, or you changed something since then.

I am not on a 192.168.1.X network here, so I know the problem must be on 
your end, and it must be the server because the firewall does not give 
out the IP of the NATed machine behind it.

COMMAND:> PASV
227 Entering Passive Mode (192,168,1,2,15,9)
COMMAND:> LIST
STATUS:> Connecting ftp data socket 192.168.1.2:3849...
ERROR:> Can't connect to remote server. Socket error = #10061.
425 Can't open data connection.

Still the same problem, it's trying to connect to your private IP 
instead of the public, and this time the port is not correct.

I also know why Michael is saying it works. He is using PORT (also known 
as ACTIVE) instead of PASV mode. Using PORT mode your server DOES work. 
It's the passive config that is wrong. To prove I was able to connect 
using PORT mode, here is a list of folders when I connect.

audacity_temp
MSOCache
RECYCLER
System Volume Information


HTH

Chris

Joseph Lo wrote:
> Dear Chris,
>
> Thank you v. much for your efforts. Appreciate it.
>
> Would the 192.168.1.2:55003 be referring to the pasv ports I assigned 
> in monowall?
>
> Just to be sure, I have now removed this entry. If you would take a 
> little time to test again, i would be most grateful.
>
> Thank you
> Joseph
>
> */"Christopher M. Iarocci" <iarocci at eastendsc dot com>/* wrote:
>
>     Here is what I get with CuteFTP Pro:
>
>     *** CuteFTP Pro 3.0 - build Nov 4 2002 ***
>
>     STATUS:> Getting listing ""...
>     STATUS:> Resolving host name josephlo.homeunix.net...
>     STATUS:> Host name josephlo.homeunix.net resolved: ip = 60.51.124.168.
>     STATUS:> Connecting to ftp server josephlo.homeunix.net:21 (ip =
>     60.51.124.168)...
>     STATUS:> Socket connected. Waiting for welcome message...
>     220-FileZilla Server version 0.9.18 beta
>     220-written by Tim Kosse (Tim dot Kosse at gmx dot de)
>     220 Please visit http://sourceforge.net/projects/filezilla/
>     STATUS:> Connected. Authenticating...
>     COMMAND:> USER guest
>     331 Password required for guest
>     COMMAND:> PASS *****
>     230 Logged on
>     STATUS:> Login successful.
>     COMMAND:> PWD
>     257 "/" is current directory.
>     STATUS:> Home directory: /
>     COMMAND:> FEAT
>     211-Features:
>     MDTM
>     REST STREAM
>     SIZE
>     MLST type*;size*;modify*;
>     UTF8
>     CLNT
>     211 End
>     STATUS:> This site supports features.
>     STATUS:> This site supports SIZE.
>     STATUS:> This site can resume broken downloads.
>     COMMAND:> REST 0
>     350 Rest supported. Restarting at 0
>     COMMAND:> PASV
>     227 Entering Passive Mode (192,168,1,2,214,219)
>     COMMAND:> LIST
>     STATUS:> Connecting ftp data socket 192.168.1.2:55003...
>     ERROR:> Can't connect to remote server. Socket error = #10061.
>     425 Can't open data connection.
>
>     Notice it's trying to connect to 192.168.1.2:55003. That is a problem
>     with the FTP server returning it's IP instead of the public IP.
>     Need to
>     change that config somewhere. Not familiar with your flavor of server
>     though.
>
>     HTH
>
>     Chris
>
>
>     Joseph Lo wrote:
>     > Michael,
>     >
>     > Yep. created guest account on my ftp server with password 12345.
>     This should login to an empty 40GB drive on my box.
>     >
>     > Could you try if this works on your end?
>     >
>     > Thanks
>     > Joseph
>     >
>     > Michael Brown wrote: Hehe, works perfectly fine for me. I tried
>     this with my laptop which was
>     > connected directly to the net via a static IP (no routers,
>     firewalls,
>     > etc in between). Do you have a guest account I can login with to
>     make
>     > sure "LS" and all those other commands work properly? This might
>     confirm
>     > the problem that a firewall/NAT/router somewhere in the chain is
>     messing
>     > with the trigger ports. If you check the m0n0wall firewall log,
>     those
>     > trigger ports might even show up as "blocked" because m0n0wall
>     wasn't
>     > allowed to connect back to the ftp client for a data connection
>     (look
>     > for those high passive port numbers like 1024 and higher)
>     >
>     > Thanks,
>     > Michael
>     >
>     > Joseph Lo wrote:
>     >
>     >> Dear Michael,
>     >>
>     >> Thank you for your feedback.
>     >>
>     >> The thing that bug me is that there are reports from the net
>     that an
>     >> ftp server is fully functional behind monowall and yet I can't
>     get it
>     >> working.
>     >>
>     >> What I would like to get confirmation with the monowall forumn
>     is that
>     >> my setup in monowall is actually correct and nothing is amiss.
>     >>
>     >> I have an account with dyndns with hostname josephlo.homeunix.net.
>     >>
>     >> If I ping josephlo.homeunix.net it will return the dynamic IP
>     nos as
>     >> assigned by my ISP. If I ftp josephlo.homeunix.net it will return
>     >> connect error, as you suggested, it could be because the ftp
>     server
>     >> couldn't assign the tripper ports properly.
>     >>
>     >> Could you try then to ftp to my hostname and see if it actually
>     work?
>     >>
>     >> Many thanks
>     >> Joseph
>     >>
>     >> */Michael Brown /* wrote:
>     >>
>     >> Joseph,
>     >> I ran into this problem a while back, as first I thought
>     m0n0wall was
>     >> messing with the ftp server. I later found out that if you try
>     to ftp
>     >> through m0n0wall from behind another firewall, that's what the
>     >> problem
>     >> is. Some switch/NAT/firewalls don't assign the dynamic trigger
>     ports
>     >> properly which will cause the "LS" command and many others to
>     >> fail. So
>     >> since it can't list files, the ftp client will report an error
>     or no
>     >> connection. It doesn't matter if you use passive or active mode
>     >> ftp, I
>     >> found this issue with certain type of D-Link switches. If you
>     >> remove the
>     >> D-link from the loop, all of a sudden everything works like it
>     should.
>     >>
>     >> E-mail me and I can help test this for you, I have a few spare
>     WAN IP
>     >> that I can hook directly to a PC to test ftp connections with a
>     >> simple
>     >> guest account you could create for troubleshooting.
>     >>
>     >> Thanks,
>     >> Michael
>     >>
>     >>
>     >>
>     >> Joseph Lo wrote:
>     >> > Dear All,
>     >> >
>     >> > I know this is an age old question: how to setup ftp server
>     >> behind monowall.
>     >> >
>     >> > I have searched the forum and read the monowall scratchpad. But
>     >> I still can't get my ftp server to work. I am hoping someone could
>     >> enlighten me.
>     >> >
>     >> > Here is my setup.
>     >> >
>     >> > internet ----> monowall ----> switch ----> ftp server
>     >> >
>     >> > monowall is 192.168.1.1
>     >> > ftp server is 192.168.1.2. I am using FileZilla on windows XP as
>     >> some have suggested.
>     >> >
>     >> > Here are my monowall config
>     >> >
>     >> > Firewall NAT Inbound
>     >> > lf proto Ext. port range NAT IP Int. port range Description
>     >> > WAN TCP 20 192.168.1.2 20 ftp server port 20
>     >> > WAN TCP 21 192.168.1.2 21 ftp server port 21
>     >> > WAN TCP 55000-61000 192.168.1.2 55000-61000 ftp server
>     >> >
>     >> >
>     >> > Firewall NAT outbound
>     >> > Interface source Destination Target Description
>     >> > WAN 192.168.1.0/24 * 192.168.1.2 ftp server
>     >> >
>     >> >
>     >> > Firewall rules
>     >> > Proto Source Port Destination Port Destination
>     >> > TCP * * 192.168.1.2 21 FTP server 1
>     >> > TCP * * 192.168.1.2 55000-61000 FTP server 2
>     >> >
>     >> > I have setup filezilla with passive mode settings
>     >> > External server IP address for passive mode transfer -> use the
>     >> following IP -> 192.168.1.2
>     >> >
>     >> > I have also checked the tick box
>     >> > * Don't use external IP for local connections
>     >> > * use custom port range: 55000 - 61000
>     >> >
>     >> > When I use ftp client to connect to 192.168.1.2 it work. When I
>     >> use ftp client from external lan to connect to my dynamic IP, it
>     >> can't find the ftp server. by the way, I am using monowall's
>     >> dyndns server. Pinging my hostname (eg. hostname.homeunix.net)
>     >> from the net work.
>     >> >
>     >> > I have use Shield-up to check and it report that port 21 is open.
>     >> >
>     >> > I have tried many configuration and still can't get anything to
>     >> work.
>     >> >
>     >> > Please help
>     >> >
>     >> > Thank you.
>     >> > Joseph
>     >> >
>     >> >
>     >> >
>     >> > ---------------------------------
>     >> > Get your own web address for just $1.99/1st yr. We'll help.
>     >> Yahoo! Small Business.
>     >> >
>     >> > ---------------------------------

>     >> call rates.
>     >> >
>     >>
>     >>
>     ---------------------------------------------------------------------
>     >> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>     >> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>     >>
>     >>
>     >>
>     ------------------------------------------------------------------------

>     PC-to-Phone call
>     >> rates.
>     >>
>     >>
>     >
>     >
>     ---------------------------------------------------------------------
>     > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>     > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>     >
>     >
>     >
>     >
>     > ---------------------------------
>     > All-new Yahoo! Mail - Fire up a more powerful email and get
>     things done faster.
>     >
>
>
> ------------------------------------------------------------------------
> Get your own web address for just $1.99/1st yr 
> <%20http://us.rd.yahoo.com/evt=43290/*http://smallbusiness.yahoo.com/domains>. 
> We'll help. Yahoo! Small Business 
> <http://us.rd.yahoo.com/evt=41244/*http://smallbusiness.yahoo.com/>.