Re: [lug-nuts] attn Rick - PMFirewall Question

From: Mike Machado (mike@innercite.com)
Date: Fri Jan 07 2000 - 11:14:31 PST


Michael Long wrote:
>
> So what you are saying is that passive ftp won't work on the firewall
> because the data port is different coming back into the firewall?
>
Actually passive modes work WITH a firewall. Its the non passives that
break. We do this exact same thing
for our internal lan here. Netscape by default does passive FTP which
should work through this type of firewall.

> Michael
>
> On Fri, 7 Jan 2000, Lancashire, Andrew wrote:
>
> > Here's the thing:
> >
> > Using Passive ftp ensures that the source is always starting the TCP
> > session. Even though there maybe many TCP sessions started the originating
> > SYN packet always comes from the source to the destination. This makes the
> > TCP session always established from the inside of the firewall in this case.
> > The firewall keeps track of these established sessions and thus allows
> > requested data to be received by the client with ftp. Under normal ftp (not
> > passive) the get requests are always followed up by the server asking the
> > client to listen on a predefined port number. Firewalls do not like this
> > because the session doesn't get established from the trusted side (inside).
> > So in the case of the firewall not allowing you to ftp data back to the
> > client, you may want to ensure your firewall configuration or make sure your
> > client is even doing passive mode. To ensure the client is:
> >
> > $ftp
> > ftp> pas
> > Passive mode on.
> > ftp> open metalab.unc.edu
> > Connected to metalab.unc.edu
> >
> > If anyone has any contradictions to this information I would be glad to
> > e-mail the sniffer trace I took before writing this.
> >
> > Andrew
> >
> > -----Original Message-----
> > From: Mike Machado [mailto:mike@cheapnet.net]
> > Sent: Friday, January 07, 2000 10:39 AM
> > To: lug-nuts@saclug.org
> > Subject: Re: [lug-nuts] attn Rick - PMFirewall Question
> >
> >
> >
> >
> > On Fri, 7 Jan 2000, Michael Long wrote:
> >
> > > How do you plan on letting passive ftp though? The return packets open up
> > > a new port above 1024 and it's random every time.
> > >
> >
> > But the destination is aways the same. port 20.
> >
> > > Michael
> > >
> > > On Fri, 7 Jan 2000, Rick Johnson wrote:
> > >
> > > >
> > > > Hi Adam,
> > > >
> > > > > Will PMFirewall let me do port fowarding? I've used ipmasqadm in the
> > > > > past and it worked well...wouldn't let passive FTP through :<
> > > >
> > > > The quick answer is no, not yet. But it is possible to add it in
> > manually.
> > > > Feel free to email me privately and we can talk about it.
> > > >
> > > > - Rick
> > > >
> > > >
> > ****************************************************************************
> > > > * To UNSUBSCRIBE from the list, send a message with "unsubscribe
> > lug-nuts"
> > > > * in the message body to majordomo@saclug.org. Please direct other
> > > > * questions, comments, or problems to lug-nuts-owner@saclug.org.
> > > >
> > >
> > >
> > ****************************************************************************
> > > * To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
> > > * in the message body to majordomo@saclug.org. Please direct other
> > > * questions, comments, or problems to lug-nuts-owner@saclug.org.
> > >
> >
> > Mike Machado
> > mike@innercite.com
> > InnerCite
> > Network Specialist
> >
> > ****************************************************************************
> > * To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
> > * in the message body to majordomo@saclug.org. Please direct other
> > * questions, comments, or problems to lug-nuts-owner@saclug.org.
> >
> > ****************************************************************************
> > * To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
> > * in the message body to majordomo@saclug.org. Please direct other
> > * questions, comments, or problems to lug-nuts-owner@saclug.org.
> >
>
> ****************************************************************************
> * To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
> * in the message body to majordomo@saclug.org. Please direct other
> * questions, comments, or problems to lug-nuts-owner@saclug.org.

-- 
Mike Machado
mike@innercite.com
InnerCite
Network Specialist
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
* in the message body to majordomo@saclug.org. Please direct other
* questions, comments, or problems to lug-nuts-owner@saclug.org.



This archive was generated by hypermail 2b29 : Fri Feb 25 2000 - 14:29:10 PST