[ previous ] [ next ] [ threads ]
 
 From:  "Neil Schneider" <pacneil at linuxgeek dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] FTP NAT redux
 Date:  Tue, 24 Aug 2004 15:02:36 -0700 (PDT)
Fred Wright said:
>
> Putting this back on-list.

Sorry for addressing you directly.
>
> On Fri, 20 Aug 2004, Neil Schneider wrote:
>> Fred Wright said:
>> > On Thu, 19 Aug 2004, Neil Schneider wrote:
>> >
>> >> I recently replaced my Linux firewall with M0n0wall. I have an
>> ftp
>> >> server that sits behind it and is Server NAT'ed to a public IP
>> >> address. I keep running into the problem described in the list
>> >> archives and on various web pages, where connections from behind
>> >> another firewall fail in unpredictable ways.
>> >>
>> >> So here's my question. Is there no equivelent in FreeBSD to the
>> >> Linux
>> >> kernel modules ip_contrack_ftp and ip_contrack_nat?
>> >
>> > Perhaps if you exlained what those features do, and/or gave a
>> specific
>> > example of a failing case.
>>
>> ip_contrack_ftp and ip_contrack_nat are "helper" modules
>> specifically
>> for NAT'ing FTP protocol. I believe, they track the port connections
>> for  ftp and allow the kernel to know when ftp-data connections are
>> related to those. I'm probably not explaining it well, however it
>> solves the problems with double NAT'ed FTP servers. Clients had no
>> problems connecting to my ftp server from behind firewalls with the
>> Linux firewall. Now that I replaced the linux firewall with m0n0wall
>> they get timeout errors and failure to receive directory listings. I
>> know it's related to these modules.
>
> I think IPFilter handles this automatically for NAT but not for the
> firewall, though this is based on using an active-mode client, which
> is a
> similar but not identical case to the passive-mode server.
> Passive-mode
> clients and active-mode servers should have no trouble.  To open
> things up
> the rest of the way, you need to open the whole "ephemeral" port range
> 49152-65535.  This may still not be enough if the server goes by an
> older
> standard for the port range, but if you enable firewall logging you
> can
> see what ports it's having trouble with.
>
> I don't think this has anything to do with "double NATting", other
> than
> that means there are *two* NAT layers that need to "get FTP right".

Well the testing I'm doing is from a system behind m0n0wall to and ftp
server NAT'ed behind m0n0wall. I opened the "ephemeral" ports you
described, and still can't get a file listing. The client side is
regular masqerading NAT the server is Server NAT to a specific IP.
Clients with complaints are behind Linksys and other "DSL/Cable
Routers". The result is the same.

Are you suggesting I need to Server NAT all those ports 49152-65535 ?


-- 
Neil Schneider                              pacneil_at_linuxgeek_dot_net
                                           http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B  8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be stirred by
spiritless men. Enthusiasm in our daily work lightens effort and turns
even labor into pleasant tasks. --James Baldwin