Shorewall users - Dec 2002 - question concerning passive ftp

Hi,

what do I have to configure, to access "all different kind" of 
ftp-servers? :-) What I mean is, that there are some clints, whitch try 
to use the passive mode and some servers which can only be accessed by 
passive mode.

In my rule file I have

ACCEPT  loc     net             tcp     ftp

in modules:

loadmodule ip_conntrack_ftp
loadmodule ip_nat_ftp

So any hints?

Thanks,

Götz Reinicke - reinicke@linux.de

Götz Reinicke wrote:
> Hi,
> 
> what do I have to configure, to access "all different kind" of 
> ftp-servers? :-) What I mean is, that there are some clints, whitch try 
> to use the passive mode and some servers which can only be accessed by 
> passive mode.

I added:

ACCEPT  loc     net             tcp     ftp-data

but I still get messages like:

Data connection timed out.
Falling back to PORT instead of PASV mode.
Could not accept a data connection - Time out.


Some more hints?


Thanks!

Götz Reinicke - reinicke@linux.de

--On Monday, December 02, 2002 10:12:54 AM +0100 G=F6tz Reinicke=20
<goetz.reinicke@filmakademie.de> wrote:
> Hi,
>
> what do I have to configure, to access "all different kind" of
> ftp-servers? :-) What I mean is, that there are some clints, whitch try
> to use the passive mode and some servers which can only be accessed by
> passive mode.
>
> In my rule file I have
>
> ACCEPT  loc     net             tcp     ftp
>
> in modules:
>
> loadmodule ip_conntrack_ftp
> loadmodule ip_nat_ftp
>
> So any hints?
If you use the default loc->net policy of ACCEPT, then you NEVER NEED ANY=20
LOC->NET ACCEPT RULES. So if you are using the standard policies, the above 
rule is completely unnecessary.

Are the ftp modules actually being loaded (lsmod)? Do you have an ACCEPT or 
REJECT rule for Auth (tcp port 113)?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://shorewall.sf.net
ICQ: #60745924  \ teastep@shorewall.net