Actually, I think a wrench gets thrown in by adding IP Masquerading and port
forwarding.
I don't have my IPChains/IPMasq stuff in front of me (I'm at work) but I've
had problems with PASV FTP transfers on that setup to machines within my
home network.
Now it may be just a simple configuration problem or it could be a
shortcoming with IPChains and IPMasq, I don't know, I haven't looked into it
that much...
...but now I will, after I get home, and post what I've seen.
Cheers,
Marc
Marc Matteo
Technical Leader, sacbee.com
http://www.sacbee.com
> ----------
> From: Lancashire, Andrew
> Reply To: lug-nuts@saclug.org
> Sent: Friday, January 7, 2000 10:51 AM
> To: 'lug-nuts@saclug.org'
> Subject: RE: [lug-nuts] attn Rick - PMFirewall Question
>
> Here's the thing:
>
> Using Passive ftp ensures that the source is always starting the TCP
> session. Even though there maybe many TCP sessions started the
> originating
> SYN packet always comes from the source to the destination. This makes
> the
> TCP session always established from the inside of the firewall in this
> case.
> The firewall keeps track of these established sessions and thus allows
> requested data to be received by the client with ftp. Under normal ftp
> (not
> passive) the get requests are always followed up by the server asking the
> client to listen on a predefined port number. Firewalls do not like this
> because the session doesn't get established from the trusted side
> (inside).
> So in the case of the firewall not allowing you to ftp data back to the
> client, you may want to ensure your firewall configuration or make sure
> your
> client is even doing passive mode. To ensure the client is:
>
> $ftp
> ftp> pas
> Passive mode on.
> ftp> open metalab.unc.edu
> Connected to metalab.unc.edu
>
> If anyone has any contradictions to this information I would be glad to
> e-mail the sniffer trace I took before writing this.
>
> Andrew
>
> -----Original Message-----
> From: Mike Machado [mailto:mike@cheapnet.net]
> Sent: Friday, January 07, 2000 10:39 AM
> To: lug-nuts@saclug.org
> Subject: Re: [lug-nuts] attn Rick - PMFirewall Question
>
>
>
>
> On Fri, 7 Jan 2000, Michael Long wrote:
>
> > How do you plan on letting passive ftp though? The return packets open
> up
> > a new port above 1024 and it's random every time.
> >
>
> But the destination is aways the same. port 20.
>
> > Michael
> >
> > On Fri, 7 Jan 2000, Rick Johnson wrote:
> >
> > >
> > > Hi Adam,
> > >
> > > > Will PMFirewall let me do port fowarding? I've used ipmasqadm in the
> > > > past and it worked well...wouldn't let passive FTP through :<
> > >
> > > The quick answer is no, not yet. But it is possible to add it in
> manually.
> > > Feel free to email me privately and we can talk about it.
> > >
> > > - Rick
> > >
> > >
> **************************************************************************
> **
> > > * To UNSUBSCRIBE from the list, send a message with "unsubscribe
> lug-nuts"
> > > * in the message body to majordomo@saclug.org. Please direct other
> > > * questions, comments, or problems to lug-nuts-owner@saclug.org.
> > >
> >
> >
> **************************************************************************
> **
> > * To UNSUBSCRIBE from the list, send a message with "unsubscribe
> lug-nuts"
> > * in the message body to majordomo@saclug.org. Please direct other
> > * questions, comments, or problems to lug-nuts-owner@saclug.org.
> >
>
> Mike Machado
> mike@innercite.com
> InnerCite
> Network Specialist
>
> **************************************************************************
> **
> * To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
> * in the message body to majordomo@saclug.org. Please direct other
> * questions, comments, or problems to lug-nuts-owner@saclug.org.
>
> **************************************************************************
> **
> * To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
> * in the message body to majordomo@saclug.org. Please direct other
> * questions, comments, or problems to lug-nuts-owner@saclug.org.
>
>
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
* in the message body to majordomo@saclug.org. Please direct other
* questions, comments, or problems to lug-nuts-owner@saclug.org.
This archive was generated by hypermail 2b29 : Fri Feb 25 2000 - 14:29:10 PST