News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: Passive FTP problem
Pages: [1]
Topic: Passive FTP problem  (Read 6984 times)
« on: June 09, 2007, 08:24:25 »
atomant *
Posts: 7
Hi!

I have my FTP server (vsftp on FreeBSD 5.5) in DMZ. Because I have only one public IP I have configured on m0n0wall Inbound NAT for ports 20, 21, 49152-65535 with coressponding firewall rules. Also my ftp server is configured for passive mode and the port range for passive connection.

The problem is that I can't connect using PASSIVE ftp connection to my server from internet, but it works fine from the LAN network.However I can connect from the internet using ACTIVE mode.

I have read some posts on the forum but nothing helped me.

DMZ rules:
(http://xmail.homelinux.net/dmz.jpg)

WAN rules:
(http://xmail.homelinux.net/wan.jpg)

NAT:
(http://xmail.homelinux.net/nat.jpg)

Please help!

Regards,
Sasa
« Last Edit: June 09, 2007, 13:08:55 by atomant »
Bye,
Sasa
« Reply #1 on: June 10, 2007, 08:52:54 »
atomant *
Posts: 7
If anyone is willing to try to connect anonymously to my server so I could see if my modification for passive nat works:

http://ftp://xmail.homelinux.net
Bye,
Sasa
« Reply #2 on: June 10, 2007, 08:57:00 »
the_jaymz *
Posts: 5
Code:
[jhouse@jmh-linux ~]$ ftp xmail.homelinux.net
Connected to xmail.homelinux.net (194.249.51.74).
220 Welcome to FTP service.
Name (xmail.homelinux.net:jhouse): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ;s
?Invalid command
ftp> ls
227 Entering Passive Mode (192,168,200,100,213,144)

It dies there.
« Reply #3 on: June 10, 2007, 09:28:06 »
atomant *
Posts: 7
Quote from: the_jaymz on June 10, 2007, 08:57:00
Code:
[jhouse@jmh-linux ~]$ ftp xmail.homelinux.net
Connected to xmail.homelinux.net (194.249.51.74).
220 Welcome to FTP service.
Name (xmail.homelinux.net:jhouse): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ;s
?Invalid command
ftp> ls
227 Entering Passive Mode (192,168,200,100,213,144)

It dies there.

If I change my m0n0wall for shorewall then passive connection works fine and all I have done in shorewall is to forward port 21 to my internal server.
Why this doesn't want to work in m0nowall?
Bye,
Sasa
« Reply #4 on: June 11, 2007, 07:34:26 »
atomant *
Posts: 7
OK, I think I have found the solution. I'll try it later when I retur to my home since I have no access to m0n0wall from the internet.
The solution is in vsftpd.conf to add a line pass_address=WANIP which is the address that the server displays to the client for passive FTP connections.

The only thing what bothers me that why other routers work fine even without this setting  Huh
Bye,
Sasa
« Reply #5 on: June 11, 2007, 18:29:23 »
atomant *
Posts: 7
It works, finaly.  Grin

Now I can connect to my ftp server from internet using passive mode. The only thing now is that I can't connect passive from LAN because the server is telling to connect to my WAN IP but since my server is on the LAN it can't be routed. So I connect with PORT (active) mode.

Maybe someone knows the trick how to make it works to be possible to connect from either network using passive mode to VSFTPD server?
« Last Edit: June 11, 2007, 19:29:42 by atomant »
Bye,
Sasa
« Reply #6 on: June 15, 2007, 21:15:20 »
javs *
Posts: 4
Hello

Here is my network configuration

-m0n0wall
- WAN nic
- LAN nic
- DMZ nic

on DMZ there's a linux FTP server (proftpd) using giptables as local firewall.
Firewall settings allow incoming active and passive ftp connections.

I have set up m0n0wall firewall and NAT rules to allow incomming ftp active
and passive connections from internet.

Everything is working as expected both modes when clients connect from outside
if linux local firewall is disabled, but enabling it, passive mode is blocked by
linux firewall when doing directory listing. It seems that ftp connection tracking is
messed some way as it is considered as a new connection.

Accessing ftp server from lan with linux firewall enabled works.

Any ideas?
« Reply #7 on: June 15, 2007, 22:46:53 »
rlpumphrey *
Posts: 8
I’m using NcFTP running on linux, and had the same problem.  NcFTP allows You to set the value “passive-ip” I could set that value for external users, or for internal user but not for both. 

What I ended up doing, was adding a second IP Address on the FTP server’s NIC card, and creating a second domain in NcFTP for external users.   In My case both domains are configured to use the same directory structure so internal and external users see the same ftp site.  The first domain and do not have a “passive-ip” value set so NcFTP uses the internal IP Address for passive transfers.  On Monowall I setup NATing and rules to send external connections to the second IP Address/second domain.  The second domain has the “passive-ip’ value in its domain config.

Hope this helps
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines