News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: outside ftp
Pages: [1]
Topic: outside ftp  (Read 2245 times)
« on: July 25, 2007, 15:05:28 »
stefan73er *
Posts: 5
hi @ll,

i want to allow ftp from my internal network to the internet. i setup a rule on my lan interface

src     dst        srv
lan     any       ftp (tcp21)

then i can login to the ftp server in the whole wide world but i can´t transfer data and i see in the log that traffic from the server sourceport 20 to my lan network dest.port somewere between 1024-65535 is dropped. I have to setup a rule on the wan interface that allows this from any with sourceport 20 to my internal network with any highport to get it work.
Fron other firewalls i know that they are inspecting the traffic and dynamicly open the datachannel. Is this also possible with the monowall or is the only way to open this for general?

cheers
Stefan
« Reply #1 on: July 25, 2007, 15:12:26 »
markb ****
Posts: 331
Hi Stefan,
Can you clarify.  Are you trying to let external access to your LAN based ftp server or allow a LAN client to access externally hosted ftp servers?

Mark.
« Reply #2 on: July 26, 2007, 16:50:11 »
stefan73er *
Posts: 5
Quote from: markb on July 25, 2007, 15:12:26
Hi Stefan,
Can you clarify.  Are you trying to let external access to your LAN based ftp server or allow a LAN client to access externally hosted ftp servers?

Mark.

Hi,

it should be from the LAN clients to a externally hosted ftp server


cheers,   stefan
« Reply #3 on: July 30, 2007, 14:08:23 »
stefan73er *
Posts: 5
is nobody here who can tell me if this behavior is normal by design or if i´m doing something wrong?

cheers stefan
« Reply #4 on: September 05, 2007, 15:32:55 »
stefan73er *
Posts: 5
hi @ll

still now answer???
Is there nobody else who have this problem? Or could anyone tell that this is by design
and theres no chance to get it working without the extra rule.

for more understanding this is my configuration

FTP Client  ---- LAN ------> Monowall ------>  Internet -------- public FTP Server

On LAN Interface i have a rule like this

SRC: LAN network  SRCPort: any   DST: ANY   DSTPort: 21(ftp)   allow

Now i can connect to any ftp server and log in to it but everytime when it needs a data connection  like when i do a ls command  or a put or get ... it timed out and does not work.
In the Log i see droped packets on the WAN interface with source port 20 to different dst ports on my LAN.

Everything is working if i set another rule on the WAN interface

SRC: any network  SRCPort: 20   DST: LAN network    DSTPort: 1024-65535  allow

Do you all here have the same or is there any trick Huh I like not to open the access to my network for source port 20 all the time. Most firewalls i know inspect the ftp control session and dynamicly open the the negotiated data connection.
Is there something similar possible with monowall?

best
stefan
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines