For an active FTP server you will need to open up ports 20 and 21 both
inbound and outbound. That means that if your FTP server is using an
non-routable ip address such as 10.0.0.2 you will need inbound NAT rules
for both. Also you need to allow ports 20 and 21 (TCP) outbound from the
ftp server as well.
For passive FTP server you need to enable the entire emphemeral port
range (not such 20 and 21) in the same way. If your ftp server has an
non-routable ip address then you will need to also spoof the ftp
server's ip address. Have a look at your ftp server config files for how
to do this. You need to make it match the ip address of the wan
interface on the m0n0wall box. If you use a dynamic ip then this is a
little complicated and probably not a good idea.
Hope this helps.
On Mon, 2003-09-22 at 18:33, Paul Hormis wrote:
> Ok so I think I have it narrowed down to port 20 not being open
> outbound? Does that make sense?
> I have port 21 open incoming but I THINK I need to open port 20 outbound?
> Perhaps I am setting the inbound of port 20 wrong?
> Any suggestions as to how I would do that? Currently I have it on TCP
> and Other but I think that is probably wrong.
> Thanks to you all for you help this far.
> Paul Hormis
> Blur Studio
> Digital Artist/Animator
> Manuel Kasper wrote:
> >On Sat, 20 Sep 2003, Paul Hormis wrote:
> >>I can connect no problem from within my LAN with either a browser or an
> >>FTP client.
> >>As soon as I try from work (outside my LAN) I have permission problems.
> >Probably the classical passive-mode-FTP-server-behind-NAT problem. Try
> >setting your FTP client(s) for active mode FTP. Unfortunately, ipfilter
> >does not provide an FTP proxy for incoming connections, only for outgoing,
> >so it's really difficult to run a passive mode FTP server behind NAT.
> >Active mode has the downside that some firewalls don't handle it properly
> >(in active mode, the server establishes a connection to the client for
> >data transfers, and the firewall needs to install a temporary rule to
> >permit that inbound connection. m0n0wall does that, but only for outbound
> >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
Frans J King <kingf1 at cs dot man dot ac dot uk>