Firewall and ftp service

From: Axel Scheepers (ascheepe@surf.iae.nl)
Date: 07/07/01 

Date: Sat, 7 Jul 2001 15:32:47 +0200
From: Axel Scheepers <ascheepe@surf.iae.nl>
To: freebsd-security@freebsd.org

Hi everybody,
I hope I'm not being really off topic with this one but
it's been troubling me for a while now.
I'm looking for a way to provide acces to an ftpserver, my current
network layout looks like this:

Cable Modem ------> Gateway ---------> http/ftp server
                                                |
                                                |
                                                +------------> private http/ftp/sql server
                                                |
                                                |
                                                +------------> my workstation

The gateway does natd and ipf since the other servers have private
adresses. The problem now is that whenever I connect to my
ftp servers from the outside, the server is unable to set up a
data connection, because it wants to connect on a port > 1024, which
is blocked by my firewall(and I want to leave it that way).
Natd does the following:
natd -redirect_port tcp 192.168.0.5:20 20 -redirect_port 192.168.0.5:21 21
which redirects the traffic to my public ftp server.

As I see it there can be 2 problems with this setup;
1) The server wants to initiate the data connection at a port > 1024 and/or
2) The server still somehow reports 192.168.0.5 as its address to the clients.

I have tried to connect with the option passive is off, which I thought
should force the server to stay on port 21 for tha data connection, but
it didn't work. :(
Can/will somebody help on getting this done the proper way ?
I just want to use ipfilter, if possible, and I don't like to install
a ftp proxy for this.

Greetings,
Axel Scheepers

Unix System Administrator
VIA NET.WORKS Nederland
http://www.vianetworks.nl
ascheepers@vianetworks.nl

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • RE: Some technical errors
    ... If the SMTP server is not running on port 25 TCP it is not a public ... Manager - Computer Assurance Services BDO Chartered Accountants & ...
    (Security-Basics)
  • Re: SRV RRs support in Internet Explorer?
    ... The port number could be implicit (i.e. ... At any point in time, a server could fail ... can't effectively LB or backup because NSs cache the records for the TTL ... I still don't see how SRV records would help backup or LB. ...
    (microsoft.public.win2000.dns)
  • Re: Still cant connect to RWW or OWA remotely
    ... I get 'cannot find server or dns error' on both ... TCP [port number]> to open the ports. ... As for error messages when I fail to access RWW with the laptop, ... network, no connection seems possible. ...
    (microsoft.public.windows.server.sbs)
  • Re: cannot send mail from Windows mail
    ... When a username/password combination doesn't work in Windows Mail, ... I mean I dont use it but as outgoing address for my ISP account. ... youir username and password are correct for your mail server". ... Ask your home ISP if they support SMTP on a port other than 25. ...
    (microsoft.public.windows.vista.mail)
  • Re: How to trigger server to reattempt printer connection
    ... The spooler does not log any SNMP data. ... Best practices and known issues when you install Windows Server 2003 Service ... Before restarting the spooler next time, create a new port name to the ... This does not happen often, but when it does, it seems to stay offline ...
    (microsoft.public.windows.server.general)