Not really security but deals with admin. Any help appreciated.
Hello, I'm trying to set up some port forwarding for ftp. I would like to be able to forward port 2021 and 2020 as an ftp service to an internal machine on our network. I don't have any documentation on this. I know how ftp services work with a control connection and a data connection. I have the control connection working fine, but the data connection of course is not working. I am forwarding 2021 to port 21 on the internal machine, but I don't know how to get the server(internal) to use port 2020 for data even if I was forwarding from 2020 -> 2020. I know that I can't just forward an ftp data connection off of a non standard port to 20 and expect that to work right because of the ftp commands to change ports. This seems like one hell of a problem, and any help would be greatly appreciated. Thank you. Please let me know if I need to clarify the issue. Wade Chandler Lead Developer Metro IT Solutions Triad Division: Winston Salem, NC http://www.metrotriad.com http://www.metrois.com wade.chandler@metrois.com FAVORITE SITES: http://www.javasoft.com <-- Suns main java web site. http://www.ddj.com <-- Dr. Dobbs Journal.
On 21-Jun-01 Wade Chandler wrote:
Hello,
I'm trying to set up some port forwarding for ftp. I would like to be able to forward port 2021 and 2020 as an ftp service to an internal machine on our network. I don't have any documentation on this. I know how ftp services work with a control connection and a data connection. I have the control connection working fine, but the data connection of course is not working. I am forwarding 2021 to port 21 on the internal machine, but I don't know how to get the server(internal) to use port 2020 for data even if I was forwarding from 2020 -> 2020. I know that I can't just forward an ftp data connection off of a non standard port to 20 and expect that to work right because of the ftp commands to change ports. This seems like one hell of a problem, and any help would be greatly appreciated. Thank you. Please let me know if I need to clarify the issue.
The basic problem here is reverse masq'ing. Kernels <= 2.2.17 w/o the ip_masq.patch have problems with passive ftp because the ip_masq helper modules (ip_masq_ftp) fail in masq'ing already masq'ed connections from internal hosts (with internal IPs). From the ipmasqadm(8) man page: "Protocols that use control and data connections are always a headache when crossing firewalls. Examples of these are ftp, irc, real audio, etc. [...] For example: ftp from outside to an internal forwarded server wil *not work in PASV mode* because server will send its internal address to outside client [...]" AFAIK the patch I mentioned is now part of the official kernel source tree. What kernel version do you use?
Wade Chandler Lead Developer Metro IT Solutions Triad Division: Winston Salem, NC http://www.metrotriad.com http://www.metrois.com wade.chandler@metrois.com FAVORITE SITES: http://www.javasoft.com <-- Suns main java web site. http://www.ddj.com <-- Dr. Dobbs Journal.
---
Boris Lorenz
[...] For example: ftp from outside to an internal forwarded server wil *not work in PASV mode* because server will send its internal address to outside client [...]"
Use a ftp server which can masquerade its ip address like proftpd and it works. mfg ar -- mailto:andreas@rittershofer.de http://www.rittershofer.de PGP-Public-Key http://www.rittershofer.de/ari.htm
Boris, It is suse 6.4. Kernel version 2.2.14. I need to update, but we are so limited around here in resources that downing the box for one day would be one big fight about what happened. I am doing good to get any hardware. I am the lead programmer as well. We fired our system admin not to long ago, but he was mostly a windows person anyways. One of my other problems though is that I don't want to use the standard port numbers because if I do then I drop my already existing ftp service on our linux machine. Forwarding the other port numbers has been one of the major concerns. One of the other group members(Peter Wiersig) has written me about the package ftp-proxy. I think I will look into that. Wade Chandler Lead Developer Metro IT Solutions Triad Division: Winston Salem, NC http://www.metrotriad.com http://www.metrois.com wade.chandler@metrois.com FAVORITE SITES: http://www.javasoft.com <-- Suns main java web site. http://www.ddj.com <-- Dr. Dobbs Journal. -----Original Message----- From: Boris Lorenz [mailto:bolo@lupa.de] Sent: Friday, June 22, 2001 6:02 AM To: suse-security@suse.com Subject: RE: [suse-security] Not really security but deals with admin. A On 21-Jun-01 Wade Chandler wrote:
Hello,
I'm trying to set up some port forwarding for ftp. I would like to be able to forward port 2021 and 2020 as an ftp service to an internal machine on our network. I don't have any documentation on this. I know how ftp services work with a control connection and a data connection. I have the control connection working fine, but the data connection of course is not working. I am forwarding 2021 to port 21 on the internal machine, but I don't know how to get the server(internal) to use port 2020 for data even if I was forwarding from 2020 -> 2020. I know that I can't just forward an ftp data connection off of a non standard port to 20 and expect that to work right because of the ftp commands to change ports. This seems like one hell of a problem, and any help would be greatly appreciated. Thank you. Please let me know if I need to clarify the issue.
The basic problem here is reverse masq'ing. Kernels <= 2.2.17 w/o the ip_masq.patch have problems with passive ftp because the ip_masq helper modules (ip_masq_ftp) fail in masq'ing already masq'ed connections from internal hosts (with internal IPs). From the ipmasqadm(8) man page: "Protocols that use control and data connections are always a headache when crossing firewalls. Examples of these are ftp, irc, real audio, etc. [...] For example: ftp from outside to an internal forwarded server wil *not work in PASV mode* because server will send its internal address to outside client [...]" AFAIK the patch I mentioned is now part of the official kernel source tree. What kernel version do you use?
Wade Chandler Lead Developer Metro IT Solutions Triad Division: Winston Salem, NC http://www.metrotriad.com http://www.metrois.com wade.chandler@metrois.com FAVORITE SITES: http://www.javasoft.com <-- Suns main java web site. http://www.ddj.com <-- Dr. Dobbs Journal.
---
Boris Lorenz
participants (3)
-
Andreas Rittershofer
-
Boris Lorenz
-
Wade Chandler