Ftp behind firewall/nat
ericwyzerski at hotmail.com
Mon Jan 31 15:43:13 PST 2005
My setup work wells with Active ftp but not with passive ftp. Your setup
doestnt work with passive ftp. From ipfilter faq:
# I have an FTP server behind an IPF firewall, and I'm having problems
serving passive FTP.
The IPF How-To gives a good explanation of this. The client will try to
connect to the server's internal IP address because that's the way passive
FTP works: the server tells the client its IP address in the payload and the
client connects to it.
The solution is to explicitly tell your FTP server what to report as its
IP address, and give it a range of ports to give out as well. You will then
need to redirect traffic from those ports on your IPF box to the FTP server.
Each FTP server is different, and you'll need to read the manual for your
specific software, but to give an example, you can specificy this
information in WU-FTPd's configuration file as follows: passive ports
0.0.0.0/0 32768 49151
passive address your.pub.IP.addr 0.0.0.0/0
At the time of writing, it's been reported that Microsoft IIS's FTP
server is not capable of being configured this way. However, most Unix FTP
servers should have an option for this somewhere.
so, my problem exactly this: the client try to connect to 10.1.1.6 and not
my external IP address. guess what? Im using IIS ftp server (I cant use
anything else), so does there is a way to resolve this problem on doing
something on the routeur (ipnat)?
>From: Erik Norgaard <norgaard at locolomo.org>
>To: Andras Kende <andras at kende.com>
>CC: 'eric wyzerski'
><ericwyzerski at hotmail.com>,freebsd-questions at freebsd.org
>Subject: Re: Ftp behind firewall/nat
>Date: Tue, 01 Feb 2005 00:07:15 +0100
>Andras Kende wrote:
>>From: owner-freebsd-questions at freebsd.org
>>[mailto:owner-freebsd-questions at freebsd.org] On Behalf Of eric wyzerski
>>Sent: Monday, January 31, 2005 2:11 PM
>>To: freebsd-questions at freebsd.org
>>Subject: Ftp behind firewall/nat
>>For a whole day I tried to make an ftp who is behind the firewall to work
>>but Im not able. My ipf rules are:
>>pass in quick from any to any
>>pass out quick from any to any
>>So it is not a ipf problem. My ipnat rules are:
>>map rl0 10.0.0.0/8 -> 0/32
>>rdr rl0 X.X.X.X/32 port 21 -> 10.1.1.6 port 21 tcp
>>where X.X.X.X is my external IP, rl0 my external interface and 10.1.1.6
>>the ftp server. I am able to login and when I do the dir command its
>>freeze. I have do tcpdump and I see the SYN packet goes but its never get
>>answer. I really need help/advise
>First, ipnat is _first match_ unlike ipfilter which is _last match_, so in
>the above, you last rule would never apply. Your problem is well covered in
>the ipf-howto, do this:
>map rl0 10.0.0.0/8 -> 0/32 proxy port ftp ftp/tcp
>map rl0 10.0.0.0/8 -> 0/32 portmap tcp/udp auto
>map rl0 10.0.0.0/8 -> 0/32
>This gives you ftp not just for one client but for all of them.
>Read the ipf-howto for more, read why you shouldn't try to reverse these
>rules if you are trying to setup an ftp-server!
>Ph: +34.666334818 web: http://www.locolomo.org
>S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
>Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Take charge with a pop-up guard built on patented Microsoft® SmartScreen
Start enjoying all the benefits of MSN® Premium right now and get the
first two months FREE*.
More information about the freebsd-questions