Re: [m0n0wall] FW: Accessing FTP server behind firewall in Bridge mode

From:	Hilton Travis <Hilton at QuarkAV dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] FW: Accessing FTP server behind firewall in Bridge mode
Date:	Wed, 10 Mar 2004 08:04:59 +1000

Hi,

On Wed, 2004-03-10 at 03:15, Nicolas Rainville wrote:
> Hi everyone,
>  
> We have a M0N0wall as a firewall with a Windows FTP server on the DMZ.
> The firewall is in Bridge mode, all traffic is allowed from the DMZ to
> the WAN. The WAN interface has rules set up for the different ports -
> all works well.
>  
> Where I have a problem is with FTP. If I open port 21 incoming and
> 1024-50000 outgoing I can get FTP to work in Passive mode as long as the
> client connecting to it (from the WAN interface) is not behind a NAT
> router. Also, this setup forces me to open a lot of ports, disabling a
> very large part of the security provided by the firewall.

Not really the case.  You have opened a single inbound port, and no
more.  You haven't really had to "open a lot of ports, disabling a
very large part of the security provided by the firewall" as the 
outbound ports are open by default anyway.

> I could not get Active mode to work (tried opening port 20) at all. A
> proxy would probably work here, but as far as I know it is not
> supported.

ftp when running from one protected network into another, is rather
difficult to get working.  ftp wasn't designed with firewalls and/or NAT
in mind, and is a protocol that is now showing its poor design and
implementation.  Unfortunately, there's often no easy way to get this
all "just working" in all situations.

> NAT is not set up on the M0n0wall machine (we have a router doing that
> work) and we are currently running version pb20r555 
> built on Mon Nov 24 19:23:59 CET 2003 

For starters, I'd recommending upgrading this dinosaur to the current
1.0 release - the m0n0wall you are running is so old, it existed before
many of us were born!  (Metaphorically, of course.)

-- 

Regards,

Hilton Travis                   Phone: +61-(0)7-3343-3889
Manager, Quark AudioVisual      Phone: +61-(0)419-792-394
         Quark Computers         http://www.QuarkAV.com/
(Brisbane, Australia)            http://www.QuarkAV.net/

Open Source Projects:		http://www.ares-desktop.org/
				http://www.mamboband.org/

Non Linear Video Editing Solutions & Digital Audio Workstations
 Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
  Conference and Seminar AudioVisual Production and Recording

War doesn't determine who is right. War determines who is left.