Re: PLEASE HEEEEEELLLLPPPP ME...

From: Barry Irwin (bvi_at_lair.moria.org)
Date: 07/24/03

  • Next message: Sten Daniel Sørsdal: "RE: NAT and PPTP" 
    To: <zel@free.fr>, <freebsd-net@freebsd.org>
Date: Thu, 24 Jul 2003 14:31:17 +0200

    Hi

    Your problem is that the ports you have allowed are not the only ports FTP
    uses. FTP makes use of two separate TCP connections.

    The first is the command connection ( 21/tcp) which is the connection used
    for logging in , and issuing commands. However when you make a data
    connection ( retrieving a file, listing a directory) a data connection is
    opened up. Traditionally , port 20/tcp ( ftp-data) was used. The process
    being that the server opened a connection to your client machine from port
    20.

    This clearly has issues when combined with firewalls and NAT.

    The other FTP transfer mode is Passive mode. Here, a data request is made,
    and the server provides details of what port the client should connect to.

    The problem you are seeing is because you are not natting all the possible
    ports through. The best suggestion I have is to install something like
    jftpgw which will run on your firewall/gateway and act as a FTP proxy back
    to the FTP server.

    Regards,

    Barry

    ----- Original Message -----
    From: <zel@free.fr>
    To: <freebsd-net@freebsd.org>
    Sent: Wednesday, July 23, 2003 1:51 PM
    Subject: PLEASE HEEEEEELLLLPPPP ME...

    > please HELP !!!
    >
    >
    > Ok... here is my problem that I tried to explain completly !
    >
    > The situation is the one below:
    >
    > =====================================
    > |SpeedToucheHome Ethernet ADSL Modem|
    > | 10.0.0.138/24 |
    > =====================================
    > |
    > 10.0.0.0/24
    > |
    > ==========================
    > | 10.0.0.1/24 |
    > | (A) 10.1.0.254/24 |- 10.1.0.0/24 - (... DMZ ...)
    > | 192.168.1.254/24 |
    > ==========================
    > |
    > 192.168.1.0/24
    > |
    > ...
    > clients workstations
    >
    >
    > My problem is about the computer A which does not what I would like It
    does.
    >
    > Currently, this computer has a customized kernel with thoses options:
    > IPFIREWALL
    > IPDIVERT
    >
    > but not IPFILTER !!! maybe it is the problem, I don't know !
    >
    > in the rc.conf, I made the following configuration
    > firewall_enabled="YES"
    > firewall_type="SIMPLE" (but I tried too with OPEN")
    >
    > natd_enable="YES"
    > natd_interface="tun0" (this is the interface for PPPoE, I think)
    > natd_flags="-f /etc/natd.conf"
    >
    > ...
    >
    >
    > and in natd.conf:
    > dynamic
    > interface tun0
    > redirect_port tcp 10.1.0.1:20-21 20-21
    >
    >
    > 10.1.0.1 is the IP address from my FTP server which is a computer placed
    in the
    > DMZ.
    >
    > My problem is: "from outside, I cannot access to the FTP server..."
    >
    > What I can say is:
    > First: My FTP server is OK because from inside, I can access to it from
    any
    > computer in DMZ or from clients workstations.
    > Secund: The answer to an outside request is "connection closed by host".
    > Third: Interface tun0 (the virtual interface for PPPoE) receives the ftp
    > request but does not forward them to ed1 (the outside netcard from A and
    > configured with 10.0.0.1). (I discoverd that with tcpdump).
    > (the others interfaces get no more ftp packets from tun0)...
    >
    > So, what can I do to solve this problem...
    >
    > Thank you
    >
    > Sylvain.
    > _______________________________________________
    > freebsd-net@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-net
    > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
    >

    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: Sten Daniel Sørsdal: "RE: NAT and PPTP"

    Relevant Pages

    • Re: IPSwitch, Inc. WS_FTP Server
      ... > bounce attack as well as PASV connection hijacking. ... > The FTP bounce vulnerability allows a remote attacker to cause the ... > anonymously along with any internal addresses that the FTP server has ... That means it's got to handle a PORT ...
      (Bugtraq)
    • Re: Microsoft FTP Server problem on W2K?
      ... It is a UNISYS ClearPath mainframe system that is trying to FTP using ... passive mode to a MS FTP server. ... Currently the mainframe FTPs in ACTIVE mode. ... Since the mainframe pushes files to our customers over a WAN connection, ...
      (microsoft.public.inetserver.iis.security)
    • Re: how do i close an app that has no forms?
      ... FTP connections through Internet Explorer send info ... If you don't have a firewall ... > a connection is instantiated with a server. ... > a request is sent to the FTP server, ...
      (microsoft.public.vb.general.discussion)
    • Re: .NET CF Socket are behaving very strangely
      ... I analysed the FTP log and I notice that PASV ... limited range of ports forwarded to the ftp server that is different ... error "No connection could be made because the target machine actively ...
      (microsoft.public.pocketpc.developer)
    • Re: .NET CF Socket are behaving very strangely
      ... Set the PASV range for the FTP server to 1027 - 3500. ... My data connection works for ports ...
      (microsoft.public.pocketpc.developer)