I am interested in your comment about Network Address Translation not being happy with FTP. Every one of my private IP's has been through 2 translations, however this is done via hardware and my assumption is that you are referring to Suse's Firewall Masquerading option (software via SPF) Via Hardware I can happily Translate 100,000 concurrent sessions without issue. Perhaps we need to sometimes remember security starts at the plug in the wall and ends at the desktop not the other way around Just a thought Scott M Harris wrote:
On Tuesday 17 April 2007 17:02, Matthew Stringer wrote:
What I'm hoping to achieve is to create a bastion host box that allows SSH connections from anywhere, I can then create users on that box who'll be able to create an SSH tunnel to the FTP machines.
I have not run ftp /or telnet in production for years.
... the ssh tunnel is ok, but you could try scp instead of ftp.
In your situation you might try passive ftp... but either way its not the best. From the looks of things the passive connection back is not working. Standard ftp requires two sockets... one to make the connection (commands) and the other to transmit the data... looks like the data socket isn't authorized or is failing for some other reason. Are the boxes behind a firewall on an 192.168 network using NAT (masquerading)? FTP does not masquerade well without the ftp fix.
But back to my first point... really, IMHO you would do well to try scp. I move files on my systems (even to the outside) exclusively with scp... its the secure copy that ships with ssh.... can be compressed, encrypted, and frankly is more flexible than FTP IMO.