Ftp behind firewall/nat

[eric wyzerski]

Hi,

My setup work wells with Active ftp but not with passive ftp. Your setup 
doestnt work with passive ftp. From ipfilter faq:
# I have an FTP server behind an IPF firewall, and I'm having problems 
serving passive FTP.

    The IPF How-To gives a good explanation of this. The client will try to 
connect to the server's internal IP address because that's the way passive 
FTP works: the server tells the client its IP address in the payload and the 
client connects to it.

    The solution is to explicitly tell your FTP server what to report as its 
IP address, and give it a range of ports to give out as well. You will then 
need to redirect traffic from those ports on your IPF box to the FTP server. 
Each FTP server is different, and you'll need to read the manual for your 
specific software, but to give an example, you can specificy this 
information in WU-FTPd's configuration file as follows: passive ports 
0.0.0.0/0 32768 49151
    passive address your.pub.IP.addr 0.0.0.0/0

    At the time of writing, it's been reported that Microsoft IIS's FTP 
server is not capable of being configured this way. However, most Unix FTP 
servers should have an option for this somewhere.

-----------------------

so, my problem exactly this: the client try to connect to 10.1.1.6 and not 
my external IP address. guess what? Im using IIS ftp server (I cant use 
anything else), so does there is a way to resolve this problem on doing 
something on the routeur (ipnat)?
Thanks
Eric



>From: Erik Norgaard <norgaard at locolomo.org>
>To: Andras Kende <andras at kende.com>
>CC: 'eric wyzerski' 
><ericwyzerski at hotmail.com>,freebsd-questions at freebsd.org
>Subject: Re: Ftp behind firewall/nat
>Date: Tue, 01 Feb 2005 00:07:15 +0100
>
>Andras Kende wrote:
>>
>>-----Original Message-----
>>From: owner-freebsd-questions at freebsd.org
>>[mailto:owner-freebsd-questions at freebsd.org] On Behalf Of eric wyzerski
>>Sent: Monday, January 31, 2005 2:11 PM
>>To: freebsd-questions at freebsd.org
>>Subject: Ftp behind firewall/nat
>>
>>Hi,
>>
>>For a whole day I tried to make an ftp who is behind the firewall to work 
>>but Im not able. My ipf rules are:
>>
>>pass in quick from any to any
>>pass out quick from any to any
>>
>>So it is not a ipf problem. My ipnat rules are:
>>
>>map rl0 10.0.0.0/8 -> 0/32
>>
>>rdr rl0 X.X.X.X/32 port 21 -> 10.1.1.6 port 21 tcp
>>
>>where X.X.X.X is my external IP, rl0 my external interface and 10.1.1.6 
>>the ftp server. I am able to login and when I do the dir command its 
>>freeze. I have do tcpdump and I see the SYN packet goes but its never get 
>>answer. I really need help/advise
>
>First, ipnat is _first match_ unlike ipfilter which is _last match_, so in 
>the above, you last rule would never apply. Your problem is well covered in 
>the ipf-howto, do this:
>
>map rl0 10.0.0.0/8 -> 0/32 proxy port ftp ftp/tcp
>map rl0 10.0.0.0/8 -> 0/32 portmap tcp/udp auto
>map rl0 10.0.0.0/8 -> 0/32
>
>This gives you ftp not just for one client but for all of them.
>
>Read the ipf-howto for more, read why you shouldn't try to reverse these 
>rules if you are trying to setup an ftp-server!
>
>Cheers, Erik
>--
>Ph: +34.666334818                           web: http://www.locolomo.org
>S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
>Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
>Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2

_________________________________________________________________
Take charge with a pop-up guard built on patented Microsoft® SmartScreen 
Technology. 
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines 
  Start enjoying all the benefits of MSN® Premium right now and get the 
first two months FREE*.