RE: [lug-nuts] attn Rick - PMFirewall Question

• Next message: Sean-Paul Rees: "[lug-nuts] SPAM Protection Measures"
• Previous message: Marc Matteo: "RE: [lug-nuts] attn Rick - PMFirewall Question"
• Maybe in reply to: Adam: "[lug-nuts] attn Rick - PMFirewall Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

No, it will work because all the TCP sessions are trusted by the firewall
since it was established from the inside. As in, from the trusted side to
the untrusted side.

-----Original Message-----
From: Michael Long [mailto:mlong@ns.net]
Sent: Friday, January 07, 2000 11:06 AM
To: 'lug-nuts@saclug.org'
Subject: RE: [lug-nuts] attn Rick - PMFirewall Question

So what you are saying is that passive ftp won't work on the firewall
because the data port is different coming back into the firewall?

Michael

On Fri, 7 Jan 2000, Lancashire, Andrew wrote:

> Here's the thing:
>
> Using Passive ftp ensures that the source is always starting the TCP
> session. Even though there maybe many TCP sessions started the
originating
> SYN packet always comes from the source to the destination. This makes
the
> TCP session always established from the inside of the firewall in this
case.
> The firewall keeps track of these established sessions and thus allows
> requested data to be received by the client with ftp. Under normal ftp
(not
> passive) the get requests are always followed up by the server asking the
> client to listen on a predefined port number. Firewalls do not like this
> because the session doesn't get established from the trusted side
(inside).
> So in the case of the firewall not allowing you to ftp data back to the
> client, you may want to ensure your firewall configuration or make sure
your
> client is even doing passive mode. To ensure the client is:
>
> $ftp
> ftp> pas
> Passive mode on.
> ftp> open metalab.unc.edu
> Connected to metalab.unc.edu
>
> If anyone has any contradictions to this information I would be glad to
> e-mail the sniffer trace I took before writing this.
>
> Andrew
>
> -----Original Message-----
> From: Mike Machado [mailto:mike@cheapnet.net]
> Sent: Friday, January 07, 2000 10:39 AM
> To: lug-nuts@saclug.org
> Subject: Re: [lug-nuts] attn Rick - PMFirewall Question
>
>
>
>
> On Fri, 7 Jan 2000, Michael Long wrote:
>
> > How do you plan on letting passive ftp though? The return packets open
up
> > a new port above 1024 and it's random every time.
> >
>
> But the destination is aways the same. port 20.
>
> > Michael
> >
> > On Fri, 7 Jan 2000, Rick Johnson wrote:
> >
> > >
> > > Hi Adam,
> > >
> > > > Will PMFirewall let me do port fowarding? I've used ipmasqadm in the
> > > > past and it worked well...wouldn't let passive FTP through :<
> > >
> > > The quick answer is no, not yet. But it is possible to add it in
> manually.
> > > Feel free to email me privately and we can talk about it.
> > >
> > > - Rick
> > >
> > >
>
****************************************************************************
> > > * To UNSUBSCRIBE from the list, send a message with "unsubscribe
> lug-nuts"
> > > * in the message body to majordomo@saclug.org. Please direct other
> > > * questions, comments, or problems to lug-nuts-owner@saclug.org.
> > >
> >
> >
>
****************************************************************************
> > * To UNSUBSCRIBE from the list, send a message with "unsubscribe
lug-nuts"
> > * in the message body to majordomo@saclug.org. Please direct other
> > * questions, comments, or problems to lug-nuts-owner@saclug.org.
> >
>
> Mike Machado
> mike@innercite.com
> InnerCite
> Network Specialist
>
>
****************************************************************************
> * To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
> * in the message body to majordomo@saclug.org. Please direct other
> * questions, comments, or problems to lug-nuts-owner@saclug.org.
>
>
****************************************************************************
> * To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
> * in the message body to majordomo@saclug.org. Please direct other
> * questions, comments, or problems to lug-nuts-owner@saclug.org.
>

****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
* in the message body to majordomo@saclug.org. Please direct other
* questions, comments, or problems to lug-nuts-owner@saclug.org.

****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
* in the message body to majordomo@saclug.org. Please direct other
* questions, comments, or problems to lug-nuts-owner@saclug.org.

• Next message: Sean-Paul Rees: "[lug-nuts] SPAM Protection Measures"
• Previous message: Marc Matteo: "RE: [lug-nuts] attn Rick - PMFirewall Question"
• Maybe in reply to: Adam: "[lug-nuts] attn Rick - PMFirewall Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Fri Feb 25 2000 - 14:29:10 PST