Date: Thu, 24 Jul 2003 14:31:17 +0200 From: "Barry Irwin" <bvi@lair.moria.org> To: <zel@free.fr>, <freebsd-net@freebsd.org> Subject: Re: PLEASE HEEEEEELLLLPPPP ME... Message-ID: <023e01c351df$7cf231f0$227ae792@ict.ru.ac.za> References: <1058961103.3f1e76cf2ab6f@impt1-2.free.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Your problem is that the ports you have allowed are not the only ports FTP uses. FTP makes use of two separate TCP connections. The first is the command connection ( 21/tcp) which is the connection used for logging in , and issuing commands. However when you make a data connection ( retrieving a file, listing a directory) a data connection is opened up. Traditionally , port 20/tcp ( ftp-data) was used. The process being that the server opened a connection to your client machine from port 20. This clearly has issues when combined with firewalls and NAT. The other FTP transfer mode is Passive mode. Here, a data request is made, and the server provides details of what port the client should connect to. The problem you are seeing is because you are not natting all the possible ports through. The best suggestion I have is to install something like jftpgw which will run on your firewall/gateway and act as a FTP proxy back to the FTP server. Regards, Barry ----- Original Message ----- From: <zel@free.fr> To: <freebsd-net@freebsd.org> Sent: Wednesday, July 23, 2003 1:51 PM Subject: PLEASE HEEEEEELLLLPPPP ME... > please HELP !!! > > > Ok... here is my problem that I tried to explain completly ! > > The situation is the one below: > > ===================================== > |SpeedToucheHome Ethernet ADSL Modem| > | 10.0.0.138/24 | > ===================================== > | > 10.0.0.0/24 > | > ========================== > | 10.0.0.1/24 | > | (A) 10.1.0.254/24 |- 10.1.0.0/24 - (... DMZ ...) > | 192.168.1.254/24 | > ========================== > | > 192.168.1.0/24 > | > ... > clients workstations > > > My problem is about the computer A which does not what I would like It does. > > Currently, this computer has a customized kernel with thoses options: > IPFIREWALL > IPDIVERT > > but not IPFILTER !!! maybe it is the problem, I don't know ! > > in the rc.conf, I made the following configuration > firewall_enabled="YES" > firewall_type="SIMPLE" (but I tried too with OPEN") > > natd_enable="YES" > natd_interface="tun0" (this is the interface for PPPoE, I think) > natd_flags="-f /etc/natd.conf" > > ... > > > and in natd.conf: > dynamic > interface tun0 > redirect_port tcp 10.1.0.1:20-21 20-21 > > > 10.1.0.1 is the IP address from my FTP server which is a computer placed in the > DMZ. > > My problem is: "from outside, I cannot access to the FTP server..." > > What I can say is: > First: My FTP server is OK because from inside, I can access to it from any > computer in DMZ or from clients workstations. > Secund: The answer to an outside request is "connection closed by host". > Third: Interface tun0 (the virtual interface for PPPoE) receives the ftp > request but does not forward them to ed1 (the outside netcard from A and > configured with 10.0.0.1). (I discoverd that with tcpdump). > (the others interfaces get no more ftp packets from tun0)... > > So, what can I do to solve this problem... > > Thank you > > Sylvain. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?023e01c351df$7cf231f0$227ae792>