[ previous ] [ next ] [ threads ]
 
 From:  "Neil Schneider" <pacneil at linuxgeek dot net>
 To:  "Eric Higgins" <erichiggins at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] ftp and per port
 Date:  Thu, 2 Sep 2004 16:00:13 -0700 (PDT)
Eric Higgins said:
> Hey guys, first I gotta say that I love m0n0wall.
>
> We have had some problems with ftp servers however.
>
> Symptom:
> login works fine, but when you try to list, the client complains it
> could not make a data connection.
>
> I was wondering if you  are using the ip_conntrack_ftp module for
> iptables?
>
> Just FYI, we are using NAT, and the firewall allows incoming tcp/udp
> for ports 20-21.
>
> We were not using the one-to-one mode, but in doing so, and opening
> some more ports, we were able to resolve the issue.
>
> Just wondering if I can get some thoughts back on this.
>
> Sorry I dont have all the details handy, but I can get them tomorrow
> at work.

Just resolved this issue here.

Use 1:1 NAT, not server NAT

I used these rules for FTP.

Inbound NAT

TCP  	 20  	 INTERNAL_IP  	 20
TCP 	21 (FTP) 	INTERNAL_IP 	21 (FTP)
TCP 	49152 - 65535 	INTERNAL_IP 	49152 - 65535 	ftp passv
TCP/UDP 	53 (DNS) 	192.168.0.20 	53 (DNS)

And of course there need to be firewall rules to allow connections on
the WAN to connect to the INTERNAL_IP on those ports.

Hope this helps.

-- 
Neil Schneider                              pacneil_at_linuxgeek_dot_net
                                           http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B  8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be stirred by
spiritless men. Enthusiasm in our daily work lightens effort and turns
even labor into pleasant tasks. --James Baldwin