[IPCop-user] FTP on DMZ Mini-HowTo

[Anders J. <And...@ci...>]

Hi all.
 
With all the help I've got from you out there and with some digging and
thinking by myself (Humble as allways ..;-) I now have access to my ftp on
my DMZ in both active and passive mode (I think) There is still one problem
but maybe somebody has a solution for that also. I thouth I'd share my
experince in this problem with you now so it might end up in the FAQ later
on (If any maintainers are listening that is ..) Feel free to rewrite this
artikel since english is not my first language..
 
Problem: Setting up a ftp-server on the DMZ (Orange net)
 
1. Getting active ftp to work.
Active Ftp uses two channels, first the client opens a command channel on
port 21 on the ftp-server then the server opens a port on the klient useing
port 20 as source port.
 
To get this to work is pretty straight forward. All we need to do is to open
a channel to the ftp server on tcp port 21. We do this by first adding a
port-forward rule from port 21 for all IP to port 21 on the ftp server.
Secondly we need to open this port for external access, so add port 21 in
your list of externally opened ports. That's it it should work now.
 
2. Getting passive ftp to work
This is a bit harder to do and we need to change things on both the firewall
and on the ftp-server.
Passive ftp uses the same port 21 as command channel but when the server
opened a data channel to the client in the active mode it instead tells the
client to open a channel on a specified port and the client opens the data
channel.
 
What we first need to do is to edit the parameters on the ftp-server. Since
you don't want to open an infinite number of ports you have to decide on how
many concurrent passive ftp-connections you will allow (less is better) Now
edit your config file for the ftp-server so it uses a specific range of
ports for passive-ftp (10000-10005 or 57100-57120 or whatever you like)
These ports should be in the user-ports area. Secondly your ftp-server
should also have a parameter for masqueradeing add that parameter and tell
your server to masquerade as your public ip-adress. This is and applicatory
masquerade not the same as what your firewall is doing but nessesary so the
client opens the data channel to the right IP. Now you need to restart your
ftp so it loads your new configuration.
 
OK, lets configure IPCop. Since we allready have forwarded port 21 all we
now have to do is to add port-forward rules for ALL the ports you configured
as passive ports, maybe you now understand that less is better :-) Since
these ports are in the high range they are allready opened in the firewall
so no need for exterlnal-access rules.
 
3. Unsolved problems with this solution.
When you add the MasqueradeAddress directive in your ftp-configuration the
ftp connection from your green net stops working. This is because your
server gives back the public-ip address and you wont be portforwarded to it.
Maybe somebody has a solution for this ?

 
    /Anders
 
Ps. A lot of people has suggested to port-forward and open up port 20 but I
see no use of that. Ds

anders.johansson 
citat solutions | phone +46 8 503 097 78 
drottninggatan 71d 3tr, 111 36 stockholm, sweden, and...@ci...