How to configure FTP through Firewall/NAT?

Home Page Forums Network Management Networking How to configure FTP through Firewall/NAT?

This topic contains 2 replies, has 0 voices, and was last updated by  Aileron 9 years, 2 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #42563

    Aileron
    Member

    Hi everybody,

    I wonder how I should configure my Zeroshell firewall so that my clients can connect to foreign FTP servers (in PASV mode).

    I have a single IP address, all clients are NATed and firewalled through a Zeroshell box.

    The firewall is configured as a white list which means that outgoing connections to all ports are being dropped except those which are allowed (HTTP, POP3, SMTP, …).

    Active FTP connections obviously won’t work as the server is unable to directly connect to a port opened by a NATed client. An option would be to assign a small port range to be forwarded directly to one client. The FTP client then can only use those ports for FTP data transfer which would be fine – but so far I haven’t found a Windows FTP client that allows its active ports to be chosen.

    Passive FTP connection do not work either – as I understand it, the server opens an arbitrary port to which the client is allowed to connect. As my firewall allows only a very limited number of selected ports to connect, the FTP client will fail to connect to the server’s data port.

    Is there any chance of configuring my firewall/NAT/port forwarding/(ftp client?) in a way that FTP connections are possible through ZeroShell?

    Thanks in advance!

    #50864

    ppalias
    Member

    I suppose you have enabled nf_conntrack and nf_nat_ftp as a module. It is supposed to keep tracking of connections so when you open an outgoing connection the reply is accepted. Check that packets are not dropped on the firewall by enabling logging. Try to use L7 protocol matching instead of plain ports. Use both ports 20 and 21 for ftp.

    #50865

    Aileron
    Member

    Thanks for replying, I am using zeroshell 1.0.beta10 (which is quite old, I know – but updates for some reasons failed) Connection tracking is active, I do not know anything about modules… even though the latter one you mentioned sounds interesting.

    This is my current configuration for FTP:

    BRIDGE00 * ACCEPT tcp opt — in BRIDGE00 out * 192.168.10.0/24 -> 0.0.0.0/0 tcp dpt:21 no
    BRIDGE00 * ACCEPT tcp opt — in BRIDGE00 out * 192.168.10.0/24 -> 0.0.0.0/0 state RELATED no
    BRIDGE00 * ACCEPT tcp opt — in BRIDGE00 out * 192.168.10.0/24 -> 0.0.0.0/0 tcp dpt:20 no
    BRIDGE00 * ACCEPT tcp opt — in BRIDGE00 out * 192.168.10.0/24 -> 0.0.0.0/0 LAYER7 l7proto ftp no

    Active FTP works just fine – but passive FTP does not for some reason. Some servers my clients would like to connect to only allow PASV connections so I wonder what I am doing wrong… Any more hints?
    Thanks in advance!

    #50866

    ppalias
    Member

    In the line 2 you have to also add

    ESTABLISHED

    Apart from that you don’t mention which is the wan interface, which is source IP and which is the destination IP of the ftp server.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.