geekvenue.net

Welcome to Chucktips Hardware HELP WITH DEAD OS Installing FreeBSD Miscellaneous
 faq
 search
 add article
 cool-stuff
 how-to
 main
 tips
 parent
 thread


Re: FTP through NATD?
by Jason on Saturday June 08, @03:16PM
Mark,

You are correct and I came to the same conclusion, here are the ipfw rules which I have found to work using 'passive ftp' - without any delay. I have used them with both my server directly and via natd redirection. Check it out. In the mean time I will look into an active ftp rule set.

# Allow passive FTP in
$fwcmd add pass log tcp from any 1024-65535 to any 49152-65535

$fwcmd add pass log tcp from any to any 21 in recv ${oif} setup keep-state

Related Links
  • Articles on Security and Firewalls
  • Also by Jason
  • Contact author

    Lilliput Mini USB Computer Monitor

    If you have ever wanted to learn about Cisco Routers, check out my new book "Cisco Routers for the Small Business" - it's Cisco CLI for the Regular Guy!

    • Sponsors

    The Fine Print: The following comments are owned by whoever posted them.
    ( Add a Reply )

    Re: FTP through NATD?
    by Jason on Sunday June 09, @11:05AM
    Okay I believe I have solved this. The firewall rules that I provided in the previous post seem fine for both passive and active ftp. Here are those rules again:

    $fwcmd add pass log tcp from any 1024-65535 to any 49152-65535
    $fwcmd add pass log tcp from any to any 21 in recv ${oif} setup keep-state

    I was having a problem with active ftp, only because the site I was using to launch my ftp client software would only allow passive outbound ftp connections. Using active ftp was blocked onthe client side and had nothing to do with my server test.

    So now it comes down to a nat'd connection: I added the following line to my /etc/rc.conf

    # NATD
    natd_enable="YES"
    natd_interface="xl0" # my outside interface
    natd_flags="-f /usr/local/etc/natd.conf"

    I created the file /usr/local/etc/natd.conf with the follwing rules:

    redirect_port tcp 192.168.1.10:21 21
    redirect_port tcp 192.168.1.10:20 20

    The rfc1918 address 192.168.1.10 is the address of the machine running ftpd behind my firewall on my private network.

    After these changes I ftp'd some files multiple times and all went well.
    [ Add a Reply to this ]
    • Re: FTP through NATD?
      by Mark Weisman on Sunday June 09, @01:41PM
      I've got the passing of the FTP signals to the ftp box, and we can get there. The problem is that I'm running wu-ftp on a redhat box as the ftp server, and it is running on a class-c network internally. I think the problem is that the redhat box is not recognizing the open ports on the firewall, and therefore cannot properly reply to the client. I still have a huge timing delay when using ftp into the server? Any suggestions. I have made the changes you suggested.
      [ Reply to this ]

     
    The Fine Print: The following comments are owned by whoever posted them.
    ( Article Reply )

    "You never know how many friends you have until you own a Condo on the beach." -- Jason's Postulate

    Powered by Zope  Powered by Apache  Squishdot Powered
    All trademarks and copyrights on this page are owned by their respective companies. Comments are owned by the Poster. The Rest ©2001 Jason Neumann.
    [ main | post article | search ]