Hello to all. I´m using Fedora Core 5 and shorewall-3.0.6-1.fc5. The ftp server is running on the firewall box. The firewall is connected to internet using and adsl router (using adsl router without bridge) with all ports redirects to the ip of the firewall. I have configured the pure-ftpd with passive mode (port range 30000:50000). At my home the connection to ftp server is ok (using adsl router without bridge). After reading http://www.shorewall.net/FTP.html i have configured the /etc/shorewall/rules with: ACCEPT net fw tcp 30000:50000 ACCEPT net fw tcp 221 [root@netserver shorewall]# lsmod | grep ftp ip_nat_tftp 1985 0 ip_nat_ftp 3393 0 ip_conntrack_tftp 4281 1 ip_nat_tftp ip_conntrack_ftp 7601 1 ip_nat_ftp ip_nat 16621 8 ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ip_nat_irc,ip_nat_tftp,ip_na t_ftp,iptable_nat ip_conntrack 49261 13 xt_state,xt_CONNMARK,xt_connmark,xt_conntrack,ipt_MASQUERADE,ip_nat_irc,ip_n at_tftp,ip_nat_ftp,ip_conntrack_irc,ip_conntrack_tftp,ip_conntrack_ftp,iptab le_nat,ip_nat Here the logs: [root@netserver u2]# ftp xxx.xx.xxx 221 Connected to logika.myftp.org. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 20 allowed. 220-Local time is now 15:47. Server port: 221. 220-This is a private system - No anonymous login 220 You will be disconnected after 15 minutes of inactivity. 500 This security scheme is not implemented 500 This security scheme is not implemented KERBEROS_V4 rejected as an authentication type Name (logika.myftp.org:root): logikaftp 331 User logikaftp OK. Password required Password: 230-User logikaftp has group access to: logikaft 230 OK. Current restricted directory is / Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 227 Entering Passive Mode (10,1,1,254,133,171) ftp: connect: Connection refused ftp> If i disable the passive mode at client: ftp> pas Passive mode off. ftp> dir 500 I won''t open a connection to 10.1.1.254 (only to xxx.xxx.xx.xxx) ftp: bind: Address already in use ftp> Thanks for all. Wilson ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Wilson A. Galafassi Jr. wrote:> Hello to all. > > I´m using Fedora Core 5 and shorewall-3.0.6-1.fc5. > > The ftp server is running on the firewall box. The firewall is connected to > internet using and adsl router (using adsl router without bridge) with all > ports redirects to the ip of the firewall. >The symptoms that you are seeing look like they are related to the ADSL router configuration, not the firewall. Turn off Shorewall (shorewall clear) -- I''ll bet that it still doesn''t work. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
It looks like your ftp server is advertising the private IP address of the firewall/server for passive mode instead of the public IP address of the ADSL router. Adjust your ftp server''s passive mode configuration appropriately. - Alex -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Wilson A. Galafassi Jr. Sent: Thursday, May 04, 2006 2:56 PM To: shorewall-users@lists.sourceforge.net Subject: [Shorewall-users] ftp problem Hello to all. I´m using Fedora Core 5 and shorewall-3.0.6-1.fc5. The ftp server is running on the firewall box. The firewall is connected to internet using and adsl router (using adsl router without bridge) with all ports redirects to the ip of the firewall. I have configured the pure-ftpd with passive mode (port range 30000:50000). At my home the connection to ftp server is ok (using adsl router without bridge). After reading http://www.shorewall.net/FTP.html i have configured the /etc/shorewall/rules with: ACCEPT net fw tcp 30000:50000 ACCEPT net fw tcp 221 [root@netserver shorewall]# lsmod | grep ftp ip_nat_tftp 1985 0 ip_nat_ftp 3393 0 ip_conntrack_tftp 4281 1 ip_nat_tftp ip_conntrack_ftp 7601 1 ip_nat_ftp ip_nat 16621 8 ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ip_nat_irc,ip_nat_tftp,ip_na t_ftp,iptable_nat ip_conntrack 49261 13 xt_state,xt_CONNMARK,xt_connmark,xt_conntrack,ipt_MASQUERADE,ip_nat_irc,ip_n at_tftp,ip_nat_ftp,ip_conntrack_irc,ip_conntrack_tftp,ip_conntrack_ftp,iptab le_nat,ip_nat Here the logs: [root@netserver u2]# ftp xxx.xx.xxx 221 Connected to logika.myftp.org. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 20 allowed. 220-Local time is now 15:47. Server port: 221. 220-This is a private system - No anonymous login 220 You will be disconnected after 15 minutes of inactivity. 500 This security scheme is not implemented 500 This security scheme is not implemented KERBEROS_V4 rejected as an authentication type Name (logika.myftp.org:root): logikaftp 331 User logikaftp OK. Password required Password: 230-User logikaftp has group access to: logikaft 230 OK. Current restricted directory is / Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 227 Entering Passive Mode (10,1,1,254,133,171) ftp: connect: Connection refused ftp> If i disable the passive mode at client: ftp> pas Passive mode off. ftp> dir 500 I won''t open a connection to 10.1.1.254 (only to xxx.xxx.xx.xxx) ftp: bind: Address already in use ftp> Thanks for all. Wilson ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=k&kid0709&bid&3057&dat1642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
I have disabled shorewall and the problem persist. -----Mensagem original----- De: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] Em nome de Tom Eastep Enviada em: quinta-feira, 4 de maio de 2006 16:21 Para: shorewall-users@lists.sourceforge.net Assunto: Re: [Shorewall-users] ftp problem Wilson A. Galafassi Jr. wrote:> Hello to all. > > I´m using Fedora Core 5 and shorewall-3.0.6-1.fc5. > > The ftp server is running on the firewall box. The firewall is connectedto> internet using and adsl router (using adsl router without bridge) with all > ports redirects to the ip of the firewall. >The symptoms that you are seeing look like they are related to the ADSL router configuration, not the firewall. Turn off Shorewall (shorewall clear) -- I''ll bet that it still doesn''t work. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Alex Stagg wrote:> It looks like your ftp server is advertising the private IP address of the > firewall/server for passive mode instead of the public IP address of the > ADSL router. Adjust your ftp server''s passive mode configuration > appropriately.If the ADSL router''s external IP address is static then the FTP server may have a configuration option to use that IP address in its PASV responses. The fact that the FTP client was seeing a connection request from the server''s RFC 1918 address using active mode indicates that the router may not be applying SNAT to outgoing requests. So as I said in my initial post, I think that the problem is in the router''s configuration. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
The ADSL router''s external IP address is dynamic. Some sugestion to fix this? Thanks Wilson -----Mensagem original----- De: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] Em nome de Tom Eastep Enviada em: quinta-feira, 4 de maio de 2006 16:59 Para: shorewall-users@lists.sourceforge.net Assunto: Re: [Shorewall-users] ftp problem Alex Stagg wrote:> It looks like your ftp server is advertising the private IP address of the > firewall/server for passive mode instead of the public IP address of the > ADSL router. Adjust your ftp server''s passive mode configuration > appropriately.If the ADSL router''s external IP address is static then the FTP server may have a configuration option to use that IP address in its PASV responses. The fact that the FTP client was seeing a connection request from the server''s RFC 1918 address using active mode indicates that the router may not be applying SNAT to outgoing requests. So as I said in my initial post, I think that the problem is in the router''s configuration. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Wilson A. Galafassi Jr. wrote:> The ADSL router''s external IP address is dynamic. > Some sugestion to fix this?Either: a) Fix the router''s NAT configuration (and we can''t help you with that). b) Change the router''s configuration to bridge mode and do any necessary address translation on the Shorewall box. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I have fixed the problem in the pure-ftpd config file using the parameter: ForcePassiveIP my.dynamic.host.here Thanks again to all, specialy to Tom. Wilson -----Mensagem original----- De: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] Em nome de Tom Eastep Enviada em: quinta-feira, 4 de maio de 2006 17:31 Para: shorewall-users@lists.sourceforge.net Assunto: Re: RES: [Shorewall-users] ftp problem Wilson A. Galafassi Jr. wrote:> The ADSL router''s external IP address is dynamic. > Some sugestion to fix this?Either: a) Fix the router''s NAT configuration (and we can''t help you with that). b) Change the router''s configuration to bridge mode and do any necessary address translation on the Shorewall box. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Wilson A. Galafassi Jr. wrote:> I have fixed the problem in the pure-ftpd config file using the parameter: > ForcePassiveIP my.dynamic.host.here >Cool -- I didn''t realize that pure-ftpd handled dynamic gateway IP addresses like that. Sorry for giving you some bad advice -- I should have looked at the pure-ftpd man page before replying. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key