Date: Mon, 1 Jul 2002 13:02:59 -0500 From: "Raja Velu" <raja@micronetusa.com> To: "'Kane Tao'" <khtao@netforge.net>, <freebsd-questions@freebsd.org> Subject: RE: Browser-based FTP access as part of a web page Message-ID: <004101c22129$8a62c620$1d00a8c0@www.micronetusa.com> In-Reply-To: <01c001c2211b$f4d79d40$8193e4ce@netforge.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Hi All, > > > > Our FreeBSD 4.4 server hosts web sites for a few domains > and also acts as > > the firewall (IPFW/NAT) for our small office network, > consisting mainly of > > Windows clients on the inside. > > > > One of our customers had a requirement to host a web site > that uses ASP > > pages. So, we are hosting this site on a Windows 2000 > Server, which sits > on > > the internal network. We configured a public IP address as > an IP alias for > > the outside interface of the BSD Server and used NATD to > redirect port 80 > > requests to this new IP to the Windows 2000 Web Server. > > > > BSD Box: > > 1.2.3.4 - First public IP > > 1.2.3.5 - Second public IP (aliased to the same interface) > > > > Onto my problem now :) One of the ASP web pages takes a > username/password > > and constructs an FTP URL (something like > > ftp://<username:<password>@1.2.3.4) and attempts to display > the contents > of > > the FTP directory as a frame in the browser window. 1.2.3.4 is the > original > > public IP of the BSD box. > > > > When the firewall is enabled, this frame comes up with a "No page to > > display" error. I look at my "security" logs and I see > communication going > > on between BSD:21 and the web browser. However, all of a > sudden, I see > that > > the web browser is trying to access some arbitrary port on > the BSD box > (like > > 49254 etc.), which is being denied (obviously, as I have > opened up only > the > > necessary ports). And the page returns an error. > > > > When I just type the FTP URL on the web browser, it works > fine. It is not > > working THROUGH this web page only. With the firewall open, > it works fine > as > > none of the ports are protected. > > > > This problem may be very specific to my setup. So, please > pass me any > > troubleshooting tips too even if you haven't come across > this before. > > > > Thanks a bunch. > > > > Rgds, > > Raja > > > > PS: I am attaching some my security and tcpdump logs here > in case they > might > > be of assistance (x.x.x.x is any external machine - I tried > accessing this > > web page from several networks and the results are the same): > > > > ***** /var/log/security ***** > > > > Jul 1 10:28:09 support /kernel: ipfw: 2600 Accept TCP x.x.x.x:2642 > > 1.2.3.4:21 in via xl0 > > Jul 1 10:28:09 support /kernel: ipfw: 2600 Accept TCP 1.2.3.4:21 > > x.x.x.x:2642 out via xl0 > > ........... > > ........... > > Jul 1 10:28:09 support /kernel: ipfw: 3900 Deny TCP x.x.x.x:2643 > > 1.2.3.4:49152 in via xl0 > > > > ***** tcpdump ***** > > > > 15:38:17.769087 XXXXX.ipt.aol.com.2987 > 1.2.3.4.ftp: S 18549 > > 450:18549450(0) win 8192 <mss 536,nop,nop,sackOK> (DF) > > 15:38:17.769656 1.2.3.4.ftp > AC82D2BD.ipt.aol.com.2987: S 18751 > > 66115:1875166115(0) ack 18549451 win 16616 <mss 1460> (DF) > > ............. > > ............. > > 15:38:25.450712 XXXXX.ipt.aol.com.2988 > 1.2.3.4.33342: S 185 > > 57147:18557147(0) win 8192 <mss 536,nop,nop,sackOK> (DF) > > > > If you are only redirecting port 80 then your BSD box will > try to do the > authentication for port 20 and port 21 for FTP. You may want > to try to > forward those ports too... > > As far as I know the FTP:// URI initiates a standard FTP > connection to a > server and not a http file transfer... > > - KT The FTP URL actually points to the BSD Server's IP (1.2.3.4) - not to the Windows 2000 server. So, I have not setup any forwarding rules for that. I am failing to understand why, all of a sudden, there is request for communication from the web browser to an arbitrary port on the BSD server (please see the last lines on either of my logs above). Raja To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004101c22129$8a62c620$1d00a8c0>