From: Anders J. <And...@ci...> - 2002-01-31 07:59:49
|
Hi all. With all the help I've got from you out there and with some digging and thinking by myself (Humble as allways ..;-) I now have access to my ftp on my DMZ in both active and passive mode (I think) There is still one problem but maybe somebody has a solution for that also. I thouth I'd share my experince in this problem with you now so it might end up in the FAQ later on (If any maintainers are listening that is ..) Feel free to rewrite this artikel since english is not my first language.. Problem: Setting up a ftp-server on the DMZ (Orange net) 1. Getting active ftp to work. Active Ftp uses two channels, first the client opens a command channel on port 21 on the ftp-server then the server opens a port on the klient useing port 20 as source port. To get this to work is pretty straight forward. All we need to do is to open a channel to the ftp server on tcp port 21. We do this by first adding a port-forward rule from port 21 for all IP to port 21 on the ftp server. Secondly we need to open this port for external access, so add port 21 in your list of externally opened ports. That's it it should work now. 2. Getting passive ftp to work This is a bit harder to do and we need to change things on both the firewall and on the ftp-server. Passive ftp uses the same port 21 as command channel but when the server opened a data channel to the client in the active mode it instead tells the client to open a channel on a specified port and the client opens the data channel. What we first need to do is to edit the parameters on the ftp-server. Since you don't want to open an infinite number of ports you have to decide on how many concurrent passive ftp-connections you will allow (less is better) Now edit your config file for the ftp-server so it uses a specific range of ports for passive-ftp (10000-10005 or 57100-57120 or whatever you like) These ports should be in the user-ports area. Secondly your ftp-server should also have a parameter for masqueradeing add that parameter and tell your server to masquerade as your public ip-adress. This is and applicatory masquerade not the same as what your firewall is doing but nessesary so the client opens the data channel to the right IP. Now you need to restart your ftp so it loads your new configuration. OK, lets configure IPCop. Since we allready have forwarded port 21 all we now have to do is to add port-forward rules for ALL the ports you configured as passive ports, maybe you now understand that less is better :-) Since these ports are in the high range they are allready opened in the firewall so no need for exterlnal-access rules. 3. Unsolved problems with this solution. When you add the MasqueradeAddress directive in your ftp-configuration the ftp connection from your green net stops working. This is because your server gives back the public-ip address and you wont be portforwarded to it. Maybe somebody has a solution for this ? /Anders Ps. A lot of people has suggested to port-forward and open up port 20 but I see no use of that. Ds anders.johansson citat solutions | phone +46 8 503 097 78 drottninggatan 71d 3tr, 111 36 stockholm, sweden, and...@ci... |