[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Another weird FTP problem...
 Date:  Mon, 22 Sep 2003 14:02:52 -0700 (PDT)
On 22 Sep 2003, Frans J King wrote:

> For an active FTP server you will need to open up ports 20 and 21 both
> inbound and outbound. That means that if your FTP server is using an
> non-routable ip address such as you will need inbound NAT rules
> for both. Also you need to allow ports 20 and 21 (TCP) outbound from the
> ftp server as well.

No, an active-mode *server* only uses port 21 inbound, and port 20
outbound.  No special NAT setup is needed for the outbound data
connection, and probably no special firewall setup with stateful
filtering (unless outgoing connections are being blocked for some reason).

> For passive FTP server you need to enable the entire emphemeral port
> range (not such 20 and 21) in the same way. If your ftp server has an

Yes, and different platforms have different opinions as to what
constitutes the "ephemeral range".  The current standard is to use
49152-65535, but many older implementations use 1024-5000.

> non-routable ip address then you will need to also spoof the ftp
> server's ip address. Have a look at your ftp server config files for how
> to do this. You need to make it match the ip address of the wan
> interface on the m0n0wall box. If you use a dynamic ip then this is a
> little complicated and probably not a good idea.

It's more complicated than that, because NAT might change the port number,
and there's no way for the server to predict that.  You really need either
a special "FTP hack" in NAT (which has difficulties with packet vs. stream
issues) or some form of proxy on the router.

In general, active-mode FTP is reasonably NAT- and firewall-friendly on
the server side, and passive mode is so on the client side.  If you have
firewalls and/or NAT routers on both ends, you need special kludges.

					Fred Wright