Hi, I have a web/ftp server into DMZ via proxy arp behind a shorewall 4.4.x firewall. All work fine, also FTP in passive mode, but not in active mode. I have a old hardware witch put some some time data binary files via ftp on my server, sin that does not support passive mode (like ftp.exe of winxp also do) and this is my problem. On my network I have 3 Centos6.3 ftp server (2 for test only): 1) on firewall (for test only) 2) into LAN via nat (for test only) 3) into DMZ via proxyarp (real server) In shorewall I have this 3 rules: 1) FTP(ACCEPT) net fw:1.1.1.1 2) DNAT net loc:192.168.1.250 tcp ftp - 1.1.1.3 3) FTP(ACCEPT) net dmz:1.1.1.2 Only the server 2 work fine in active and passive mode, only on server 2 my old external hardware work and load the data file via PUT and list via DIR without timeout. On server 1 (test server) and 3 (real destination server) the ftp transfer data work only in passive mode (tested with ncftp.exe and FileZilla on winXP and lftp on client Linux), in active mode (ftp.exe winxp) the connection to server with account work, but the subsequent PUT and DIR commands goto timeout Someone have some suggest? Many thanks -- Dario Lesca - sip:dario@solinos.it (Inviato dal mio Linux Fedora 17 Gnome3) ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
On 01/11/2013 05:45 AM, Dario Lesca wrote:> Hi, I have a web/ftp server into DMZ via proxy arp behind a shorewall > 4.4.x firewall. > > All work fine, also FTP in passive mode, but not in active mode. > > I have a old hardware witch put some some time data binary files via ftp > on my server, sin that does not support passive mode (like ftp.exe of > winxp also do) and this is my problem. > > On my network I have 3 Centos6.3 ftp server (2 for test only): > 1) on firewall (for test only) > 2) into LAN via nat (for test only) > 3) into DMZ via proxyarp (real server) > > In shorewall I have this 3 rules: > 1) FTP(ACCEPT) net fw:1.1.1.1 > 2) DNAT net loc:192.168.1.250 tcp ftp - 1.1.1.3 > 3) FTP(ACCEPT) net dmz:1.1.1.2 > > Only the server 2 work fine in active and passive mode, only on server 2 > my old external hardware work and load the data file via PUT and list > via DIR without timeout. > > On server 1 (test server) and 3 (real destination server) the ftp > transfer data work only in passive mode (tested with ncftp.exe and > FileZilla on winXP and lftp on client Linux), in active mode (ftp.exe > winxp) the connection to server with account work, but the subsequent > PUT and DIR commands goto timeout > > Someone have some suggest?What do you see in the system log when transfer fails? Have you looked at http://www.shorewall.net/FTP.html? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
Dario Lesca
2013-Jan-11 16:00 UTC
Re: FTP active mode issue with server in dmz via proxarp
Il giorno ven, 11/01/2013 alle 07.05 -0800, Tom Eastep ha scritto:> On 01/11/2013 05:45 AM, Dario Lesca wrote: > > Hi, I have a web/ftp server into DMZ via proxy arp behind a shorewall > > 4.4.x firewall. > > > > All work fine, also FTP in passive mode, but not in active mode. > > > > I have a old hardware witch put some some time data binary files via ftp > > on my server, sin that does not support passive mode (like ftp.exe of > > winxp also do) and this is my problem. > > > > On my network I have 3 Centos6.3 ftp server (2 for test only): > > 1) on firewall (for test only) > > 2) into LAN via nat (for test only) > > 3) into DMZ via proxyarp (real server) > > > > In shorewall I have this 3 rules: > > 1) FTP(ACCEPT) net fw:1.1.1.1 > > 2) DNAT net loc:192.168.1.250 tcp ftp - 1.1.1.3 > > 3) FTP(ACCEPT) net dmz:1.1.1.2 > > > > Only the server 2 work fine in active and passive mode, only on server 2 > > my old external hardware work and load the data file via PUT and list > > via DIR without timeout. > > > > On server 1 (test server) and 3 (real destination server) the ftp > > transfer data work only in passive mode (tested with ncftp.exe and > > FileZilla on winXP and lftp on client Linux), in active mode (ftp.exe > > winxp) the connection to server with account work, but the subsequent > > PUT and DIR commands goto timeout > > > > Someone have some suggest? > > What do you see in the system log when transfer fails? Have you looked > at http://www.shorewall.net/FTP.html?Yes, I have read this howto .... but not help me. Note witch the active connection work only to server NAT, and NOT work whit server without NAT (local fw and proxyarp dmz) In the firewall system log I see nothing. This is the tcpdump of my transaction test script to my server in DMZ proxyarp: Script ftp (ftp.exe winxp)> open my.host > user > pass > dir > quittcpdump output:> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes > 16:43:22.419128 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [S], seq 987061752, win 64240, options [mss 1460,nop,nop,sackOK], length 0 > 16:43:22.419519 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [S.], seq 2138978079, ack 987061753, win 14600, options [mss 1460,nop,nop,sackOK], length 0 > 16:43:22.451208 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [.], ack 1, win 64240, length 0 > 16:43:22.454465 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq 1:321, ack 1, win 14600, length 320 > 16:43:22.492989 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq 1:18, ack 321, win 63920, length 17 > 16:43:22.493290 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [.], ack 18, win 14600, length 0 > 16:43:22.493491 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq 321:364, ack 18, win 14600, length 43 > 16:43:22.524427 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq 18:33, ack 364, win 63877, length 15 > 16:43:22.536785 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq 364:407, ack 33, win 14600, length 43 > 16:43:22.572189 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq 33:57, ack 407, win 63834, length 24 > 16:43:22.572674 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq 407:436, ack 57, win 14600, length 29 > 16:43:22.603948 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq 57:63, ack 436, win 63805, length 6 > 16:43:22.604273 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 4047120893, win 14600, options [mss 1460,sackOK,TS val 153549838 ecr 0,nop,wscale 7], length 0 > 16:43:22.644203 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [.], ack 63, win 14600, length 0 > 16:43:23.604254 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 4047120893, win 14600, options [mss 1460,sackOK,TS val 153550838 ecr 0,nop,wscale 7], length 0 > 16:43:25.604288 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 4047120893, win 14600, options [mss 1460,sackOK,TS val 153552838 ecr 0,nop,wscale 7], length 0 > 16:43:29.604286 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 4047120893, win 14600, options [mss 1460,sackOK,TS val 153556838 ecr 0,nop,wscale 7], length 0 > 16:43:37.604409 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 4047120893, win 14600, options [mss 1460,sackOK,TS val 153564838 ecr 0,nop,wscale 7], length 0 > 16:43:53.604521 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 4047120893, win 14600, options [mss 1460,sackOK,TS val 153580838 ecr 0,nop,wscale 7], length 0 > 16:44:25.605097 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq 436:507, ack 63, win 14600, length 71 > 16:44:25.780286 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [.], ack 507, win 63734, length 0 > 16:44:29.731707 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq 63:69, ack 507, win 63734, length 6 > 16:44:29.732083 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [.], ack 69, win 14600, length 0 > 16:44:29.732463 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq 507:574, ack 69, win 14600, length 67 > 16:44:29.734085 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [F.], seq 574, ack 69, win 14600, length 0 > 16:44:29.767304 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [F.], seq 69, ack 574, win 63667, length 0 > 16:44:29.767573 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [.], ack 70, win 14600, length 0 > 16:44:29.767830 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [.], ack 575, win 63667, length 0In the system log of FTP server 3 I see a correct connection with user and password and nothing. On the client (ftp.exe for test) I see this:> ftp> dir > 200 PORT command successful > 425 Could not open data connection to port 1353: Connection timed out > ftp>NOTE: The port is always different. Thanks for help me. -- Dario Lesca - sip:dario@solinos.it (Inviato dal mio Linux Fedora 17 Gnome3) ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
On 01/11/2013 08:00 AM, Dario Lesca wrote:>> >> What do you see in the system log when transfer fails? Have you looked >> at http://www.shorewall.net/FTP.html? > Yes, I have read this howto .... but not help me. > > Note witch the active connection work only to server NAT, and NOT work > whit server without NAT (local fw and proxyarp dmz) > > In the firewall system log I see nothing. > This is the tcpdump of my transaction test script to my server in DMZ > proxyarp: > > Script ftp (ftp.exe winxp) >> open my.host >> user >> pass >> dir >> quitThat would have been a lot more helpful if you would have turned on debugging before entering the dir command (and yes -- ftp.exe does support that command).> > tcpdump output: >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes >> 16:43:22.419128 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [S], seq 987061752, win 64240, options [mss 1460,nop,nop,sackOK], length 0 >> 16:43:22.419519 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [S.], seq 2138978079, ack 987061753, win 14600, options [mss 1460,nop,nop,sackOK], length 0 >> 16:43:22.451208 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [.], ack 1, win 64240, length 0 >> 16:43:22.454465 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq 1:321, ack 1, win 14600, length 320 >> 16:43:22.492989 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq 1:18, ack 321, win 63920, length 17 >> 16:43:22.493290 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [.], ack 18, win 14600, length 0 >> 16:43:22.493491 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq 321:364, ack 18, win 14600, length 43 >> 16:43:22.524427 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq 18:33, ack 364, win 63877, length 15 >> 16:43:22.536785 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq 364:407, ack 33, win 14600, length 43 >> 16:43:22.572189 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq 33:57, ack 407, win 63834, length 24 >> 16:43:22.572674 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq 407:436, ack 57, win 14600, length 29 >> 16:43:22.603948 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq 57:63, ack 436, win 63805, length 6 >> 16:43:22.604273 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 4047120893, win 14600, options [mss 1460,sackOK,TS val 153549838 ecr 0,nop,wscale 7], length 0 >> 16:43:22.644203 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [.], ack 63, win 14600, length 0 >> 16:43:23.604254 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 4047120893, win 14600, options [mss 1460,sackOK,TS val 153550838 ecr 0,nop,wscale 7], length 0 >> 16:43:25.604288 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 4047120893, win 14600, options [mss 1460,sackOK,TS val 153552838 ecr 0,nop,wscale 7], length 0 >> 16:43:29.604286 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 4047120893, win 14600, options [mss 1460,sackOK,TS val 153556838 ecr 0,nop,wscale 7], length 0 >> 16:43:37.604409 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 4047120893, win 14600, options [mss 1460,sackOK,TS val 153564838 ecr 0,nop,wscale 7], length 0 >> 16:43:53.604521 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 4047120893, win 14600, options [mss 1460,sackOK,TS val 153580838 ecr 0,nop,wscale 7], length 0This above are your FTP server''s attempt to connect to port 1363 on the remote host.> > In the system log of FTP server 3 I see a correct connection with user > and password and nothing. > > On the client (ftp.exe for test) I see this: >> ftp> dir >> 200 PORT command successful >> 425 Could not open data connection to port 1353: Connection timed outThat isn''t the same port that your server was trying to connect to.>> ftp> > NOTE: The port is always different. > > Thanks for help me. >If you send me the real IP address of your server, I''ll take a look from this end. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
On 01/11/2013 08:23 AM, Tom Eastep wrote:> On 01/11/2013 08:00 AM, Dario Lesca wrote: > >>> >>> What do you see in the system log when transfer fails? Have you looked >>> at http://www.shorewall.net/FTP.html? >> Yes, I have read this howto .... but not help me. >> >> Note witch the active connection work only to server NAT, and NOT work >> whit server without NAT (local fw and proxyarp dmz) >> >> In the firewall system log I see nothing. >> This is the tcpdump of my transaction test script to my server in DMZ >> proxyarp: >> >> Script ftp (ftp.exe winxp) >>> open my.host >>> user >>> pass >>> dir >>> quit > > That would have been a lot more helpful if you would have turned on > debugging before entering the dir command (and yes -- ftp.exe does > support that command). > >> >> tcpdump output: >>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >>> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes >>> 16:43:22.419128 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [S], seq 987061752, win 64240, options [mss 1460,nop,nop,sackOK], length 0 >>> 16:43:22.419519 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [S.], seq 2138978079, ack 987061753, win 14600, options [mss 1460,nop,nop,sackOK], length 0 >>> 16:43:22.451208 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [.], ack 1, win 64240, length 0 >>> 16:43:22.454465 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq 1:321, ack 1, win 14600, length 320 >>> 16:43:22.492989 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq 1:18, ack 321, win 63920, length 17 >>> 16:43:22.493290 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [.], ack 18, win 14600, length 0 >>> 16:43:22.493491 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq 321:364, ack 18, win 14600, length 43 >>> 16:43:22.524427 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq 18:33, ack 364, win 63877, length 15 >>> 16:43:22.536785 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq 364:407, ack 33, win 14600, length 43 >>> 16:43:22.572189 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq 33:57, ack 407, win 63834, length 24 >>> 16:43:22.572674 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq 407:436, ack 57, win 14600, length 29 >>> 16:43:22.603948 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq 57:63, ack 436, win 63805, length 6 >>> 16:43:22.604273 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 4047120893, win 14600, options [mss 1460,sackOK,TS val 153549838 ecr 0,nop,wscale 7], length 0 >>> 16:43:22.644203 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [.], ack 63, win 14600, length 0 >>> 16:43:23.604254 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 4047120893, win 14600, options [mss 1460,sackOK,TS val 153550838 ecr 0,nop,wscale 7], length 0 >>> 16:43:25.604288 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 4047120893, win 14600, options [mss 1460,sackOK,TS val 153552838 ecr 0,nop,wscale 7], length 0 >>> 16:43:29.604286 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 4047120893, win 14600, options [mss 1460,sackOK,TS val 153556838 ecr 0,nop,wscale 7], length 0 >>> 16:43:37.604409 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 4047120893, win 14600, options [mss 1460,sackOK,TS val 153564838 ecr 0,nop,wscale 7], length 0 >>> 16:43:53.604521 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq 4047120893, win 14600, options [mss 1460,sackOK,TS val 153580838 ecr 0,nop,wscale 7], length 0Ah -- I see the real problem here. Your firewall is MASQUERADING outgoing connections from the server. Note that the incoming connection on port 21 is addressed to my.host.42.251 but the outgoing connection is from my.host.42.242! Fix your /etc/shorewall/masq file so that it doesn''t masquerade those outgoing connections. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
Dario Lesca
2013-Jan-11 16:46 UTC
Re: FTP active mode issue with server in dmz via proxarp
Il giorno ven, 11/01/2013 alle 08.23 -0800, Tom Eastep ha scritto:> If you send me the real IP address of your server, I''ll take a look > from this endI have send you IP and test account, and some other output. Let me know Thanks> .-- Dario Lesca - sip:dario@solinos.it (Inviato dal mio Linux Fedora 17 Gnome3) ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
On 01/11/2013 08:46 AM, Dario Lesca wrote:> Il giorno ven, 11/01/2013 alle 08.23 -0800, Tom Eastep ha scritto: >> If you send me the real IP address of your server, I''ll take a look >> from this end > > I have send you IP and test account, and some other output. > > Let me knowCheck the list mail -- I have already sent you the solution. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
Dario Lesca
2013-Jan-11 17:06 UTC
Re: [SOLVED] FTP active mode issue with server in dmz via proxarp
Il giorno ven, 11/01/2013 alle 08.40 -0800, Tom Eastep ha scritto:> > Ah -- I see the real problem here. Your firewall is MASQUERADING > outgoing connections from the server. > > Note that the incoming connection on port 21 is addressed to > my.host.42.251 but the outgoing connection is from my.host.42.242! > > Fix your /etc/shorewall/masq file so that it doesn''t masquerade those > outgoing connections. >Wow!, thank Tom!! Work! Work! Work! This is my old masq file, : $NET_IF_1 0.0.0.0/0 $ONLINE_SERVER tcp 25 $NET_IF_1 0.0.0.0/0 $NET_FW_IP_1 I have masquerade only port 25 for same outgoing mail service. Now I have this configuration: $NET_IF_1 0.0.0.0/0 $ONLINE_SERVER $NET_IF_1 0.0.0.0/0 $NET_FW_IP_1 Now Work!, but my other question is: It''s correct this configuration method? Thanks Tom! ... I owe you a glass of wine from my vineyard ;-) Ciao. -- Dario Lesca - sip:dario@solinos.it (Inviato dal mio Linux Fedora 17 Gnome3) ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
Tom Eastep
2013-Jan-11 17:14 UTC
Re: [SOLVED] FTP active mode issue with server in dmz via proxarp
On 01/11/2013 09:06 AM, Dario Lesca wrote:> Il giorno ven, 11/01/2013 alle 08.40 -0800, Tom Eastep ha scritto: >> >> Ah -- I see the real problem here. Your firewall is MASQUERADING >> outgoing connections from the server. >> >> Note that the incoming connection on port 21 is addressed to >> my.host.42.251 but the outgoing connection is from my.host.42.242! >> >> Fix your /etc/shorewall/masq file so that it doesn''t masquerade those >> outgoing connections. >> > Wow!, thank Tom!! Work! Work! Work! > > This is my old masq file, : > $NET_IF_1 0.0.0.0/0 $ONLINE_SERVER tcp 25 > $NET_IF_1 0.0.0.0/0 $NET_FW_IP_1 > > I have masquerade only port 25 for same outgoing mail service. > Now I have this configuration: > $NET_IF_1 0.0.0.0/0 $ONLINE_SERVER > $NET_IF_1 0.0.0.0/0 $NET_FW_IP_1 > > Now Work!, but my other question is: It''s correct this configuration > method?If $ONLINE_SERVER is the system that uses proxy arp, then you should simply delete that entry. I can''t see how the change you made could have fixed the ftp problem. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
Tom Eastep
2013-Jan-11 17:17 UTC
Re: [SOLVED] FTP active mode issue with server in dmz via proxarp
On 01/11/2013 09:06 AM, Dario Lesca wrote:> Il giorno ven, 11/01/2013 alle 08.40 -0800, Tom Eastep ha scritto: >> >> Ah -- I see the real problem here. Your firewall is MASQUERADING >> outgoing connections from the server. >> >> Note that the incoming connection on port 21 is addressed to >> my.host.42.251 but the outgoing connection is from my.host.42.242! >> >> Fix your /etc/shorewall/masq file so that it doesn''t masquerade those >> outgoing connections. >> > Wow!, thank Tom!! Work! Work! Work! > > This is my old masq file, : > $NET_IF_1 0.0.0.0/0 $ONLINE_SERVER tcp 25 > $NET_IF_1 0.0.0.0/0 $NET_FW_IP_1 > > I have masquerade only port 25 for same outgoing mail service. > Now I have this configuration: > $NET_IF_1 0.0.0.0/0 $ONLINE_SERVER > $NET_IF_1 0.0.0.0/0 $NET_FW_IP_1 > > Now Work!, but my other question is: It''s correct this configuration > method?Now all outgoing connections are using your server''s ip address as the source. I would make a single entry as follows: $NET_IF_1 !$ONLINE_SERVER $NET_FW_IP_1 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
Tom Eastep
2013-Jan-11 17:18 UTC
Re: [SOLVED] FTP active mode issue with server in dmz via proxarp
On 01/11/2013 09:14 AM, Tom Eastep wrote:> On 01/11/2013 09:06 AM, Dario Lesca wrote: >> Il giorno ven, 11/01/2013 alle 08.40 -0800, Tom Eastep ha scritto: >>> >>> Ah -- I see the real problem here. Your firewall is MASQUERADING >>> outgoing connections from the server. >>> >>> Note that the incoming connection on port 21 is addressed to >>> my.host.42.251 but the outgoing connection is from my.host.42.242! >>> >>> Fix your /etc/shorewall/masq file so that it doesn''t masquerade those >>> outgoing connections. >>> >> Wow!, thank Tom!! Work! Work! Work! >> >> This is my old masq file, : >> $NET_IF_1 0.0.0.0/0 $ONLINE_SERVER tcp 25 >> $NET_IF_1 0.0.0.0/0 $NET_FW_IP_1 >> >> I have masquerade only port 25 for same outgoing mail service. >> Now I have this configuration: >> $NET_IF_1 0.0.0.0/0 $ONLINE_SERVER >> $NET_IF_1 0.0.0.0/0 $NET_FW_IP_1 >> >> Now Work!, but my other question is: It''s correct this configuration >> method? > > If $ONLINE_SERVER is the system that uses proxy arp, then you should > simply delete that entry. I can''t see how the change you made could have > fixed the ftp problem.Disregard this post and use the suggestion from the next one I sent. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812