geekvenue.net

Welcome to Chucktips HELP WITH DEAD OS Hardware Installing FreeBSD Miscellaneous
 faq
 search
 add article
 cool-stuff
 how-to
 main
 tips


FTP through NATD?
Security and Firewalls Posted by Mark Weisman on Wednesday June 05, @09:07PM
from the captain-she's breaking up, I can't hold it much longer. dept.
I've been told that when using FTP through the NATD on a FreeBSD box, that you must add not only port 21, but 20 for ftp-data, and another one for active communication. What's the third port? Never heard of such a thing.
However, realistically I've configured my ipfw to accept both ports 20 and 21, and I've added the redirect to my natd, yet I cannot see throught the firewall with FTP? Any suggestions?

<  |  >

 
Related Links
  • Articles on Security and Firewalls
  • Also by Mark Weisman
  • Contact author
    		•

    ThinkGeek

    Sponsors

    The Fine Print: The following comments are owned by whoever posted them.
    ( Add a Reply )

    Re: FTP through NATD?
    by Jason on Friday June 07, @08:55AM
    Hmmm... Your problem isn't a natd problem necessarily but rather a firewall issue, and a somewhat complex one at that. You can easily test this by setting the firewall to open (termporarily). and then attempting a nat'd ftp session. If it works, you know that natd is not the problem and that leaves only the firewall.

    Here is a link that describes both the active and passisive ftp protocol, and some of the issues surrounding it and firewalls.

    I'm hot on the trail of this silly problem and I will post a useful reply as soon as I fugure it out.
    [ Add a Reply to this ]
    Re: FTP through NATD?
    by Mark Weisman on Friday June 07, @04:08PM
    Your right! I don't believe that it has anything to do with the natd. However, I have read that I need to open an upper range due to the way the FTP server responds to the PORT command. However, even if I force the user to use PASV command, it is still not going through the firewall. This problem is completely within ipfw.
    [ Add a Reply to this ]
    Re: FTP through NATD?
    by Mark Weisman on Saturday June 08, @10:49AM
    OK, some news! To allow for active FTP, you've got to change or unlock ports 49152 through 65535 to allow for the server to make a decision on which port to use (Man I hate Windows)! Anyway, I also read that opening 113 to allow identd to communicate is a good thing as well. I still have a huge time-delay which I'm currently working on, When the user logs in, it takes about 3 whole minutes for the directory list to come up, and then each click produces a 30 - 45 second wait. I'm trying to figure this one out. You know if we didn't have to worry about Windows users, port 20 and 21 would be enough.(stepping off soapbox).
    [ Add a Reply to this ]
    • Re: FTP through NATD?
      by Jason on Saturday June 08, @02:16PM
      Mark,

      You are correct and I came to the same conclusion, here are the ipfw rules which I have found to work using 'passive ftp' - without any delay. I have used them with both my server directly and via natd redirection. Check it out. In the mean time I will look into an active ftp rule set.

      # Allow passive FTP in
      $fwcmd add pass log tcp from any 1024-65535 to any 49152-65535

      $fwcmd add pass log tcp from any to any 21 in recv ${oif} setup keep-state
      [ Reply to this ]
      • Re: FTP through NATD?
        by Jason on Sunday June 09, @10:05AM
        Okay I believe I have solved this. The firewall rules that I provided in the previous post seem fine for both passive and active ftp. Here are those rules again:

        $fwcmd add pass log tcp from any 1024-65535 to any 49152-65535
        $fwcmd add pass log tcp from any to any 21 in recv ${oif} setup keep-state

        I was having a problem with active ftp, only because the site I was using to launch my ftp client software would only allow passive outbound ftp connections. Using active ftp was blocked onthe client side and had nothing to do with my server test.

        So now it comes down to a nat'd connection: I added the following line to my /etc/rc.conf

        # NATD
        natd_enable="YES"
        natd_interface="xl0" # my outside interface
        natd_flags="-f /usr/local/etc/natd.conf"

        I created the file /usr/local/etc/natd.conf with the follwing rules:

        redirect_port tcp 192.168.1.10:21 21
        redirect_port tcp 192.168.1.10:20 20

        The rfc1918 address 192.168.1.10 is the address of the machine running ftpd behind my firewall on my private network.

        After these changes I ftp'd some files multiple times and all went well.
        [ Reply to this ]
        • Re: FTP through NATD?
          by Mark Weisman on Sunday June 09, @12:41PM
          I've got the passing of the FTP signals to the ftp box, and we can get there. The problem is that I'm running wu-ftp on a redhat box as the ftp server, and it is running on a class-c network internally. I think the problem is that the redhat box is not recognizing the open ports on the firewall, and therefore cannot properly reply to the client. I still have a huge timing delay when using ftp into the server? Any suggestions. I have made the changes you suggested.
          [ Reply to this ]

     
    The Fine Print: The following comments are owned by whoever posted them.
    ( Article Reply )

    "You never know how many friends you have until you own a Condo on the beach." -- Jason's Postulate

    Powered by Zope  Powered by Apache  Squishdot Powered
    All trademarks and copyrights on this page are owned by their respective companies. Comments are owned by the Poster. The Rest ©2001 Jason Neumann.
    [ main | post article | search ]