Re: PLEASE HEEEEEELLLLPPPP ME...

From: Matthew Emmerton (matt_at_compar.com)
Date: 07/25/03

  • Next message: Jung-uk Kim: "Re: Update on nVidia/MCP ethernet" 
    To: "Barry Irwin" <bvi@lair.moria.org>, <zel@free.fr>, <freebsd-net@freebsd.org>
Date: Thu, 24 Jul 2003 20:10:18 -0400

    Or, switch to using IPFILTER/IPNAT which has special features to handle the
    case of FTP.

    MAtt

    > Your problem is that the ports you have allowed are not the only ports FTP
    > uses. FTP makes use of two separate TCP connections.
    >
    > The first is the command connection ( 21/tcp) which is the connection used
    > for logging in , and issuing commands. However when you make a data
    > connection ( retrieving a file, listing a directory) a data connection is
    > opened up. Traditionally , port 20/tcp ( ftp-data) was used. The
    process
    > being that the server opened a connection to your client machine from port
    > 20.
    >
    > This clearly has issues when combined with firewalls and NAT.
    >
    > The other FTP transfer mode is Passive mode. Here, a data request is
    made,
    > and the server provides details of what port the client should connect to.
    >
    > The problem you are seeing is because you are not natting all the possible
    > ports through. The best suggestion I have is to install something like
    > jftpgw which will run on your firewall/gateway and act as a FTP proxy back
    > to the FTP server.
    >
    >
    > Regards,
    >
    > Barry
    >
    > ----- Original Message -----
    > From: <zel@free.fr>
    > To: <freebsd-net@freebsd.org>
    > Sent: Wednesday, July 23, 2003 1:51 PM
    > Subject: PLEASE HEEEEEELLLLPPPP ME...
    >
    >
    > > please HELP !!!
    > >
    > >
    > > Ok... here is my problem that I tried to explain completly !
    > >
    > > The situation is the one below:
    > >
    > > =====================================
    > > |SpeedToucheHome Ethernet ADSL Modem|
    > > | 10.0.0.138/24 |
    > > =====================================
    > > |
    > > 10.0.0.0/24
    > > |
    > > ==========================
    > > | 10.0.0.1/24 |
    > > | (A) 10.1.0.254/24 |- 10.1.0.0/24 - (... DMZ ...)
    > > | 192.168.1.254/24 |
    > > ==========================
    > > |
    > > 192.168.1.0/24
    > > |
    > > ...
    > > clients workstations
    > >
    > >
    > > My problem is about the computer A which does not what I would like It
    > does.
    > >
    > > Currently, this computer has a customized kernel with thoses options:
    > > IPFIREWALL
    > > IPDIVERT
    > >
    > > but not IPFILTER !!! maybe it is the problem, I don't know !
    > >
    > > in the rc.conf, I made the following configuration
    > > firewall_enabled="YES"
    > > firewall_type="SIMPLE" (but I tried too with OPEN")
    > >
    > > natd_enable="YES"
    > > natd_interface="tun0" (this is the interface for PPPoE, I think)
    > > natd_flags="-f /etc/natd.conf"
    > >
    > > ...
    > >
    > >
    > > and in natd.conf:
    > > dynamic
    > > interface tun0
    > > redirect_port tcp 10.1.0.1:20-21 20-21
    > >
    > >
    > > 10.1.0.1 is the IP address from my FTP server which is a computer placed
    > in the
    > > DMZ.
    > >
    > > My problem is: "from outside, I cannot access to the FTP server..."
    > >
    > > What I can say is:
    > > First: My FTP server is OK because from inside, I can access to it from
    > any
    > > computer in DMZ or from clients workstations.
    > > Secund: The answer to an outside request is "connection closed by host".
    > > Third: Interface tun0 (the virtual interface for PPPoE) receives the ftp
    > > request but does not forward them to ed1 (the outside netcard from A and
    > > configured with 10.0.0.1). (I discoverd that with tcpdump).
    > > (the others interfaces get no more ftp packets from tun0)...
    > >
    > > So, what can I do to solve this problem...
    > >
    > > Thank you
    > >
    > > Sylvain.
    > > _______________________________________________
    > > freebsd-net@freebsd.org mailing list
    > > http://lists.freebsd.org/mailman/listinfo/freebsd-net
    > > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
    > >
    >
    > _______________________________________________
    > freebsd-net@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-net
    > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
    >

    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: Jung-uk Kim: "Re: Update on nVidia/MCP ethernet"

    Relevant Pages

    • Re: Iptables FTP question
      ... think all other related would be from specific modules,the FTP and IRC ... Keep in mind that connection ... source port of 20 if it is for port mode data connections(for a standard ... I would also break down your rules into chains instead of appending such ...
      (comp.security.firewalls)
    • Re: Passive means what during FTP?
      ... :227 Entering Passive Mode ... :ftp: connect: No route to host ... The FTP data transfer uses a connection that is separate from the ... address and port number to connect to for the data transfer. ...
      (comp.os.linux.setup)
    • RE: Telnet/ftp problems SBS2000
      ... Please make sure your client computers are configured as both Firewall ... will find two options "Enable folder view for FTP sites" and "Use Passive ... that the control connection has been successfully established, ... (other than port 21) ...
      (microsoft.public.windows.server.sbs)
    • Re: IPSwitch, Inc. WS_FTP Server
      ... > bounce attack as well as PASV connection hijacking. ... > The FTP bounce vulnerability allows a remote attacker to cause the ... > anonymously along with any internal addresses that the FTP server has ... That means it's got to handle a PORT ...
      (Bugtraq)
    • RE: FTP Window of opportunity?
      ... target on the line when in reality it was just a firewall lying to them. ... The connection connects and then immediately ... Subject: FTP Window of opportunity? ... the FTP port shows up. ...
      (Pen-Test)