Subject: Re: Passive FTP through a filewall
To: David Maxwell , Brian Hechinger <firstname.lastname@example.org>
From: Brian Hechinger <email@example.com>
Date: 08/06/2001 12:19:43
On Mon, Aug 06, 2001 at 09:44:57AM -0400, David Maxwell wrote:
> You didn't list what rules (if any) you have applied to the public IP
> you're bidir'ing on the outside.
none. the NAT translation is done before the rules are run. so there is no
point to having rules for the public addresses.
> You didn't mention that you're allowing port 21 traffic to get to the
> inside ftp server.
pass in quick proto tcp from any to 192.168.1.2/32 port = 21 flags S keep state
> In your description, it sounds like you're putting the ftp server
> 'inside' a filewall, and connecting with clients from outside?
that is correct yes.
> 1) Hopefully you don't expect random clients to know they have to use
> PASV. (i.e. this is for a 'private' ftp server, right?)
actually, at the moment they can't use passive. that's the problem. active
works fine (as long as they are not sitting behind a firewall that restricts
it from their end) but i'm having trouble getting the passive going.
> 2) How is it failing? Connect, ls, and fail on get? Or fail to connect?
it's failing in the creation of the data link. my ftp server is opening up a
port and telling the client what it is, but the link never gets established
since the firewall blocks it.
i've got the ftp server on a bimap, so all ports are getting forwarded to this
machine, and with that firewall rule i'm allowing all traffic in on the ports
that *should* be used for passive connections (according to what i see in the
output of sysctl)
i can't figure out why this doesn't work. from what i can tell, it should.