"Keith.Morgan" wrote: > > I have a customer running an ipchains based firewall. Using ipmasqadm > portfw we're doing static NAT to a webserver behind the firewall with > private address space. I've been searching around the net for some time > trying to figure out how to open up FTP to a translated host behind the > firewall. And before you ask, yes the ip_masq_ftp.o module is loaded on the > firewall, but this seems to only work for masqueraded hosts behind the fw > making ftp connections out to the internet. Reversing the process (without > masq) doesn't seem to work. The ftp server behind the firewall does *NOT* > support passive mode file transfer. > > Is ipmasqadm portfw the wrong way to go with this? Is ipmasqadm autofw the > way to go? I could use references to good documentation on the use of both > portfw and autofw regardless of a solution to this problem. > > Anyone have a pointer or reference? Or just example command syntax that > would allow this? Is is possible at all? You do not need ip_masq_fw for what you are trying to do (port forwarding to a "active only" FTP server). The port forwarding module correctly allows the primary connection to the FTP server through your firewall. When the FTP server later tries to send data (whether a file or a directory listing), it opens a secondary connection from the server to the client. It is probably this secondary connection that is not getting through your firewall. If so, clients would be able to log in to the FTP server and copy files *to* the FTP server, but wouldn't be able to get a directory listing or copy files from the server. The standard IP masquerading feature of ipchains/Linux can be used to allow the secondary data connections to go through. You have to configure the firewall to masquerade ftp data connections from the FTP server. Assuming that your FTP server opens data connections from the ftp-data TCP port (20), you could allow masquerading on just that connection with ipchains -A forward -p tcp -s <int-IP-addr> ftp-data -j MASQ where <int-IP-addr> is the internal IP address of the FTP server. If the FTP server uses other source ports for opening data connections, you would to use ipchains -A forward -p tcp -s <int-IP-addr> -j MASQ Note that for masquerading to work, you have to allow the receipt of packets from remote servers to the the remapped TCP port range used by masquerading. For TCP, the masqueraded port range is 61000-65095. At a minimum, you'd have to allow established TCP connections on these destination ports to enter the firewall so that the masquerading code can then forward/rewrite them appropriately. This can be done with something like: ipchains -A input -p tcp -d <ext-IP-addr> 61000:65095 ! -y -j ACCEPT where <ext-IP-addr> is the external IP address being used for the FTP connections (often the firewall external IP address, but not always). Note that this is the most restrictive rule that will work; ipchains firewalls are often set up to allow TCP traffic to all non protected ports (1024 and above) rather than just the IP masquerade range. Although you said you didn't need it, it is possible to support passive FTP on a port forwarded FTP server. In that case, you *do* need ip_masq_ftp. You have to tell ip_masq_ftp which ports will be used for incoming FTP connections so that the ip_masq_ftp code can recognize and handle PASV commands. For example, if you set up port forwarding to your FTP server with ipmasqadm portfw -a -P tcp -L <ext-IP-addr> <portnum> -R <int-IP-addr> ftp you'd need to tell ip_masq_ftp to monitor <portnum>. You do this with the the "in_ports" parameter to ip_masq_ftp If you're using modprobe to load ip_masq_ftp, the easiest way to do this is to add the line options ip_masq_ftp in_ports=<portnum> to /etc/modules.conf. Note that this is necessary even if you're using the standard FTP port number (21). Finally, you have to allow external systems to establish TCP connections to the masqueraded passive data ports; instead of the ipchains input rule above, you'd use ipchains -A input -p tcp -d <ext-IP-addr> 61000:65095 -j ACCEPT -- Wes Chalfant Peabody Systems wesat_private (714) 639-8643 FAX (714) 639-2817 _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://www.nfr.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Fri Jun 15 2001 - 10:00:02 PDT