Re: [m0n0wall] Another weird FTP problem...

From:	Paul Hormis <phormis at blur dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Another weird FTP problem...
Date:	Wed, 24 Sep 2003 06:21:36 -0700
Hey all,

I just wanted to thank those of you that helped me with this.  I was 
finally able to get the FTP to work from outside my LAN.

I opened both 20 and 21 inbound and outbound and it all works great.  
Although from the email below I probably only need 21 inbound and 20 
outbound.  I will test it and let you know but otherwise all is well.

Thanks again,
Paul


Fred Wright wrote:

>On 22 Sep 2003, Frans J King wrote:
>
>  
>
>>For an active FTP server you will need to open up ports 20 and 21 both
>>inbound and outbound. That means that if your FTP server is using an
>>non-routable ip address such as 10.0.0.2 you will need inbound NAT rules
>>for both. Also you need to allow ports 20 and 21 (TCP) outbound from the
>>ftp server as well.
>>    
>>
>
>No, an active-mode *server* only uses port 21 inbound, and port 20
>outbound.  No special NAT setup is needed for the outbound data
>connection, and probably no special firewall setup with stateful
>filtering (unless outgoing connections are being blocked for some reason).
>
>  
>
>>For passive FTP server you need to enable the entire emphemeral port
>>range (not such 20 and 21) in the same way. If your ftp server has an
>>    
>>
>
>Yes, and different platforms have different opinions as to what
>constitutes the "ephemeral range".  The current standard is to use
>49152-65535, but many older implementations use 1024-5000.
>
>  
>
>>non-routable ip address then you will need to also spoof the ftp
>>server's ip address. Have a look at your ftp server config files for how
>>to do this. You need to make it match the ip address of the wan
>>interface on the m0n0wall box. If you use a dynamic ip then this is a
>>little complicated and probably not a good idea.
>>    
>>
>
>It's more complicated than that, because NAT might change the port number,
>and there's no way for the server to predict that.  You really need either
>a special "FTP hack" in NAT (which has difficulties with packet vs. stream
>issues) or some form of proxy on the router.
>
>In general, active-mode FTP is reasonably NAT- and firewall-friendly on
>the server side, and passive mode is so on the client side.  If you have
>firewalls and/or NAT routers on both ends, you need special kludges.
>
>					Fred Wright
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>  
>