Derek Knapp
2002-Oct-18 16:11 UTC
[Shorewall-users] Connection To A Ftp With Non-21 As Port
hey, basically what i have right now is a suse linux machine as a router using shorewall 1.3.9b... eth0 is the wan (24.42.114.37) and eth1 is the local network (192.168.0.1)... now im trying to connect to my friends ftp which is on port 80... (on the extranal network) and i get the error could not open data connection to port 3214: connection refused.. but that 3214 changes each time.. but it seems to only be in the 3000''s... i am currently just using the default 2-interface settings i downloaded.. do i have to add any rules or soemthing to make it work?? thanks
John S. Andersen
2002-Oct-18 19:02 UTC
[Shorewall-users] Connection To A Ftp With Non-21 As Port
On 18 Oct 2002 at 12:11, Derek Knapp wrote:> > hey, > basically what i have right now is a suse linux machine as a > routerusing shorewall 1.3.9b... eth0 is the wan (24.42.114.37) and > eth1 is the local network (192.168.0.1)... > > now im trying to connect to my friends ftp which is on port 80... (on > the extranal network) and i get the error could not open data > connection to port 3214: connection refused.. but that 3214 changes > each time.. but it seems to only be in the 3000''s... i am currently > just using the default 2-interface settings i downloaded.. do i have > to add any rules or soemthing to make it work?? > > thanks >Just to throw anothere wrinkle into this issue: Folks on cable modems should be aware that Com21 Cable modems and the newer DOCSISS compliant modems have a feature that many ISPs use to prevent one customer from messing with another. Namely they often assign you to what is refered to as a "non-peer-to-peer" vlan which means you can''t talk directly to another machine that is on the same head-end-controller. So the guy next door may not be reachable. Not by ftp, not by www, not by smb not even by ping. No packets allowed between peers period. Our provider here uses Com21 modems and you have to specifically ASK to be placed on the peer- to-peer modem as the company policy it to protect the brain-dead users from each other. So even if you have everything else configured correctly (and with and ftp server on port 80, I have no confidence that you do), this may be another thing to check. ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386
Bradey Honsinger
2002-Oct-18 22:41 UTC
[Shorewall-users] Connection To A Ftp With Non-21 As Port
Accidentally forgot to include the list... -----Original Message----- From: Bradey Honsinger Sent: Friday, October 18, 2002 10:30 AM To: ''Derek Knapp'' Subject: RE: [Shorewall-users] Connection To A Ftp With Non-21 As Port I think the problem is that you''re using a non-standard FTP port. If your friend were using the standard FTP port (21/tcp), the ip_conntrack_ftp module would handle things for you. I don''t know of any way to tell the ip_conntrack_ftp module that you''re using port 80 instead of port 21, but maybe someone else on the list does. In the meantime, you can work around the problem by using FTP''s "passive" mode. In passive mode, the client always makes the connection to the server, so as long as you have a "loc net ACCEPT" policy, it''ll work fine. How you switch to passive mode depends on your FTP client (and possibly on the server). Using Linux FTP, it''s simply "passive"; from the Windows FTP client (which is based on BSD code), you use "quote pasv". - Bradey -----Original Message----- From: Derek Knapp [mailto:knap1930@wlu.ca] Sent: Friday, October 18, 2002 9:11 AM To: shorewall-users@shorewall.net Subject: [Shorewall-users] Connection To A Ftp With Non-21 As Port hey, basically what i have right now is a suse linux machine as a router using shorewall 1.3.9b... eth0 is the wan (24.42.114.37) and eth1 is the local network (192.168.0.1)... now im trying to connect to my friends ftp which is on port 80... (on the extranal network) and i get the error could not open data connection to port 3214: connection refused.. but that 3214 changes each time.. but it seems to only be in the 3000''s... i am currently just using the default 2-interface settings i downloaded.. do i have to add any rules or soemthing to make it work?? thanks
Tom Eastep
2002-Oct-20 22:23 UTC
[Shorewall-users] Connection To A Ftp With Non-21 As Port
Derek Knapp wrote:> hey, > basically what i have right now is a suse linux machine as a > router using shorewall 1.3.9b... eth0 is the wan (24.42.114.37) and eth1 > is the local network (192.168.0.1)... > > now im trying to connect to my friends ftp which is on port 80... (on > the extranal network) and i get the error could not open data connection > to port 3214: connection refused.. but that 3214 changes each time.. > but it seems to only be in the 3000''s... i am currently just using the > default 2-interface settings i downloaded.. do i have to add any rules > or soemthing to make it work?? >Try using Passive Mode FTP -- the FTP connection tracking code isn''t tracking port 80 (and incidentally, 80 is a really bad choice for an FTP port number -- you certainly DON''T want to configure FTP connection tracking to track port 80). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net