Firewall and ftp service

From: Axel Scheepers (ascheepe@surf.iae.nl)
Date: 07/07/01 

Date: Sat, 7 Jul 2001 15:32:47 +0200
From: Axel Scheepers <ascheepe@surf.iae.nl>
To: freebsd-security@freebsd.org

Hi everybody,
I hope I'm not being really off topic with this one but
it's been troubling me for a while now.
I'm looking for a way to provide acces to an ftpserver, my current
network layout looks like this:

Cable Modem ------> Gateway ---------> http/ftp server
                                                |
                                                |
                                                +------------> private http/ftp/sql server
                                                |
                                                |
                                                +------------> my workstation

The gateway does natd and ipf since the other servers have private
adresses. The problem now is that whenever I connect to my
ftp servers from the outside, the server is unable to set up a
data connection, because it wants to connect on a port > 1024, which
is blocked by my firewall(and I want to leave it that way).
Natd does the following:
natd -redirect_port tcp 192.168.0.5:20 20 -redirect_port 192.168.0.5:21 21
which redirects the traffic to my public ftp server.

As I see it there can be 2 problems with this setup;
1) The server wants to initiate the data connection at a port > 1024 and/or
2) The server still somehow reports 192.168.0.5 as its address to the clients.

I have tried to connect with the option passive is off, which I thought
should force the server to stay on port 21 for tha data connection, but
it didn't work. :(
Can/will somebody help on getting this done the proper way ?
I just want to use ipfilter, if possible, and I don't like to install
a ftp proxy for this.

Greetings,
Axel Scheepers

Unix System Administrator
VIA NET.WORKS Nederland
http://www.vianetworks.nl
ascheepers@vianetworks.nl

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • RE: Some technical errors
    ... If the SMTP server is not running on port 25 TCP it is not a public ... Manager - Computer Assurance Services BDO Chartered Accountants & ...
    (Security-Basics)
  • Re: SRV RRs support in Internet Explorer?
    ... The port number could be implicit (i.e. ... At any point in time, a server could fail ... can't effectively LB or backup because NSs cache the records for the TTL ... I still don't see how SRV records would help backup or LB. ...
    (microsoft.public.win2000.dns)
  • Re: Still cant connect to RWW or OWA remotely
    ... I get 'cannot find server or dns error' on both ... TCP [port number]> to open the ports. ... As for error messages when I fail to access RWW with the laptop, ... network, no connection seems possible. ...
    (microsoft.public.windows.server.sbs)
  • Re: Outlook 2003 client
    ... Items' folder from the Send/Receive group for my account, ... Send/Receive to synchronize Outlook local data with the Exchange Server, ... Port 21 enable external and internal file transfer ... Port 80 enables all nonsecure browser access, ...
    (microsoft.public.windows.server.sbs)
  • RE: SMTPS - Exchange
    ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... If the Exchange server is listening on other port rather ...
    (microsoft.public.windows.server.sbs)