August 5, 2010 at 7:25 am #42563
I wonder how I should configure my Zeroshell firewall so that my clients can connect to foreign FTP servers (in PASV mode).
I have a single IP address, all clients are NATed and firewalled through a Zeroshell box.
The firewall is configured as a white list which means that outgoing connections to all ports are being dropped except those which are allowed (HTTP, POP3, SMTP, …).
Active FTP connections obviously won’t work as the server is unable to directly connect to a port opened by a NATed client. An option would be to assign a small port range to be forwarded directly to one client. The FTP client then can only use those ports for FTP data transfer which would be fine – but so far I haven’t found a Windows FTP client that allows its active ports to be chosen.
Passive FTP connection do not work either – as I understand it, the server opens an arbitrary port to which the client is allowed to connect. As my firewall allows only a very limited number of selected ports to connect, the FTP client will fail to connect to the server’s data port.
Is there any chance of configuring my firewall/NAT/port forwarding/(ftp client?) in a way that FTP connections are possible through ZeroShell?
Thanks in advance!August 5, 2010 at 10:05 am #50864
I suppose you have enabled nf_conntrack and nf_nat_ftp as a module. It is supposed to keep tracking of connections so when you open an outgoing connection the reply is accepted. Check that packets are not dropped on the firewall by enabling logging. Try to use L7 protocol matching instead of plain ports. Use both ports 20 and 21 for ftp.August 6, 2010 at 6:34 am #50865
Thanks for replying, I am using zeroshell 1.0.beta10 (which is quite old, I know – but updates for some reasons failed) Connection tracking is active, I do not know anything about modules… even though the latter one you mentioned sounds interesting.
This is my current configuration for FTP:
BRIDGE00 * ACCEPT tcp opt — in BRIDGE00 out * 192.168.10.0/24 -> 0.0.0.0/0 tcp dpt:21 no
BRIDGE00 * ACCEPT tcp opt — in BRIDGE00 out * 192.168.10.0/24 -> 0.0.0.0/0 state RELATED no
BRIDGE00 * ACCEPT tcp opt — in BRIDGE00 out * 192.168.10.0/24 -> 0.0.0.0/0 tcp dpt:20 no
BRIDGE00 * ACCEPT tcp opt — in BRIDGE00 out * 192.168.10.0/24 -> 0.0.0.0/0 LAYER7 l7proto ftp no
Active FTP works just fine – but passive FTP does not for some reason. Some servers my clients would like to connect to only allow PASV connections so I wonder what I am doing wrong… Any more hints?
Thanks in advance!August 6, 2010 at 1:57 pm #50866
In the line 2 you have to also add
Apart from that you don’t mention which is the wan interface, which is source IP and which is the destination IP of the ftp server.
You must be logged in to reply to this topic.