Jayel
2003-Apr-15 19:20 UTC
[Shorewall-users] passive FTP server in DMZ and Shorewall 1.4.2
I have an FTP server running in the DMZ section of my home network. It uses port 23000 for connection and ports 19990 to 19994 for data transfer. I have setup the following rule for outside people to connect to it:DNAT net dmz:192.168.2.2 tcp 23000 I''m at work right now and I can''t use passive connection to it. I can''t get a directory listing. Active connections work. I have setup my /etc/shorewall/modules and /etc/modules.conf according the FTP section of this page http://shorewall.sourceforge.net/ports.htm I searched the mailing list and found these 2 threads 1. http://lists.shorewall.net/pipermail/shorewall-users/2003-February/005291.html2. http://lists.shorewall.net/pipermail/shorewall-users/2002-December/003879.html ------------------In the 1st link, Tom mentioned "FTP tracking/NAT" and "ALLOWRELATED". I checked what modules are being loaded and found these:ip_conntrack_irc 4400 1 [ip_nat_irc]ip_conntrack_ftp 5424 1 [ip_nat_ftp]ip_conntrac k 29920 4 [ipt_MASQUERADE ipt_state ip_nat_irc ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp]In regards to "ALLOWRELATED", I had a looked at shorewall.conf and I can''t find an entry for it. Tom mentioned that "ALLOWRELATED" must beset to "Yes". So I created a new entry "ALLOWRELATED" and set it''s value to "Yes".------------------------In the 2nd link, Tom mentioned port 113. The only rule that uses port 113 (auth) in my setup is this:ACCEPT $_Local net udp auth #ident I used for it ident as this website (http://www.practicallynetworked.com/) mentioned that it''s needed for IRC ident. _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web!