[Shorewall-users] my problem with runing a passive FTP server in DMZ

Tom Eastep teastep at shorewall.net
Tue Jun 17 17:00:45 PDT 2003


On Tue, 2003-06-17 at 07:02, Tom Eastep wrote:
> On Mon, 2003-06-16 at 22:26, Jayel wrote:
> > Here's the original thread -->> http://lists.shorewall.net/pipermail/shorewall-users/2003-April/006019.html. 
> > 
> > Well I have several thought that my solve this problem after coming back to it after so long.
> > 
> > On my Windows FTP server (raidenftpd software), it is asking for a host. I put there "dynamichost.dyndns.org" (sample only). maybe this is wrong. Maybe I should've put the actual IP of the Windows PC which is 192.168.2.2.
> > 
> > I do know PASV works on this software as I've used it work with much success. I'm not saying shorewall is to blame. it could most probably be my config.
> > 
> 
> I told you the first time and I'll tell you only once more -- DO NOT
> SPECIFY A MASQUERADE IP ADDRESS TO YOUR FTP SERVER.

I have just reproduced your environment on my own firewall. In my case,
the rule is:

DNAT	loc	dmz:206.124.146.177:21	tcp	23000	-	192.168.1.193

While this is backward to the way one normally does port forwarding
(usually a public IP address is forwarded to a private one) this setup
is nevertheless equivalent to yours.

In /etc/shorewall/modules:

    loadmodule ip_conntrack_ftp ports=21,23000
    loadmodule ip_nat_ftp ports=21,23000

I made NO CHANGES to my ftp server configuration.

>From my local network:

[teastep at wookie Shorewall]$ ftp
ftp> open mail 23000
Connected to lists.shorewall.net.
220-=(<*>)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(<*>)=-
220-You are user number 1 of 50 allowed.
220-Local time is now 08:46 and the load is 0.14. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
500 Security extensions not implemented
500 Security extensions not implemented
KERBEROS_V4 rejected as an authentication type
Name (mail:teastep): ftp
331-Welcome to ftp.shorewall.net
331-
331 Any password will work
Password:
230 Any password will work
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode off.
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (192,168,1,193,202,172)
150 Accepted data connection
drwxr-xr-x    5 0        0            4096 Nov  9  2002 archives
drwxr-xr-x    2 0        0            4096 Feb 12  2002 etc
drwxr-sr-x    6 0        50           4096 Feb 19 15:24 pub
226-Options: -l
226 3 matches total
ftp> quit
221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout - CPU time spent: 0.020 seconds.
[teastep at wookie Shorewall]$

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep at shorewall.net



More information about the Shorewall-users mailing list