Here's the thing:
Using Passive ftp ensures that the source is always starting the TCP
session. Even though there maybe many TCP sessions started the originating
SYN packet always comes from the source to the destination. This makes the
TCP session always established from the inside of the firewall in this case.
The firewall keeps track of these established sessions and thus allows
requested data to be received by the client with ftp. Under normal ftp (not
passive) the get requests are always followed up by the server asking the
client to listen on a predefined port number. Firewalls do not like this
because the session doesn't get established from the trusted side (inside).
So in the case of the firewall not allowing you to ftp data back to the
client, you may want to ensure your firewall configuration or make sure your
client is even doing passive mode. To ensure the client is:
$ftp
ftp> pas
Passive mode on.
ftp> open metalab.unc.edu
Connected to metalab.unc.edu
If anyone has any contradictions to this information I would be glad to
e-mail the sniffer trace I took before writing this.
Andrew
-----Original Message-----
From: Mike Machado [mailto:mike@cheapnet.net]
Sent: Friday, January 07, 2000 10:39 AM
To: lug-nuts@saclug.org
Subject: Re: [lug-nuts] attn Rick - PMFirewall Question
On Fri, 7 Jan 2000, Michael Long wrote:
> How do you plan on letting passive ftp though? The return packets open up
> a new port above 1024 and it's random every time.
>
But the destination is aways the same. port 20.
> Michael
>
> On Fri, 7 Jan 2000, Rick Johnson wrote:
>
> >
> > Hi Adam,
> >
> > > Will PMFirewall let me do port fowarding? I've used ipmasqadm in the
> > > past and it worked well...wouldn't let passive FTP through :<
> >
> > The quick answer is no, not yet. But it is possible to add it in
manually.
> > Feel free to email me privately and we can talk about it.
> >
> > - Rick
> >
> >
****************************************************************************
> > * To UNSUBSCRIBE from the list, send a message with "unsubscribe
lug-nuts"
> > * in the message body to majordomo@saclug.org. Please direct other
> > * questions, comments, or problems to lug-nuts-owner@saclug.org.
> >
>
>
****************************************************************************
> * To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
> * in the message body to majordomo@saclug.org. Please direct other
> * questions, comments, or problems to lug-nuts-owner@saclug.org.
>
Mike Machado
mike@innercite.com
InnerCite
Network Specialist
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
* in the message body to majordomo@saclug.org. Please direct other
* questions, comments, or problems to lug-nuts-owner@saclug.org.
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
* in the message body to majordomo@saclug.org. Please direct other
* questions, comments, or problems to lug-nuts-owner@saclug.org.
This archive was generated by hypermail 2b29 : Fri Feb 25 2000 - 14:29:10 PST