I am working on developing a firewall system for a client utilizing RedHat 5.0 and IP Masquerading. I have pretty much got everything working to my satisfaction with the exception of one thing. I have a public FTP Server sitting behind the MASQ machine... I am using a very minimal set of rules as a result of this problem. I like to start simple and get everything working before I attempt to tighten things up. Anyway, I am using ipportfw to bounce all incoming requests received on port 21 by the MASQ machine to the FTP Server behind the firewall. This works great with "standard" or "ported" FTP clients (i.e. CuteFTP, WS_FTP, etc...). However, it does not work so great with PASV FTP clients like the ones built into many of the standard Web browsers. Here is my limited understanding of how PASV mode FTP works... I understand that the incoming "command" channel still comes into the FTP server on port 21 as with "standard" FTP requests... and I understand that the server then picks a port >1023 and sends the port number back to the client so that the client can open a second "data" channel to that port on the FTP server. Initially I figured that all I had to do was setup ipautofw on the MASQ machine to bounce all requests received in that range (>1023) to the FTP server behind the firewall... and as you have probably guessed... it did not work. Using a PASV mode FTP client I think I see why... the initial "command" channel is opened no problem... and it would appear that the servers reply with the port number is received by the client no problem... the problem seems to be when the client tries to open the second "data" channel with the FTP server it tries to open connect to the un-masqed IP address of the FTP server located behind the firewall.. If anyone has a "work around" or suggestions I would appreciate it... I am a bit stumped on this one since the IP address must be coming in to the client as part of the FTP servers port response ??? Thanks, Dave Hammond Network Administrator - EZ-Net [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
