Chris Bagnall wrote:
> You said:
>>Your suggestion does not work:
>>- on m0n0wall it is enabled outbound connections to port 2100,
>>- a ftp client connects remote ftp server port 2100
>> through m0n0wall (but not through ftp-proxy, as ftp-proxy
>> supports only port 21),
>>- the server sais to the client, that it openes port XXX for
>> passive connection,
>>- m0n0wall _does_not_ create dynamic 'enable' rule for this
>> "passive connection" port XXX for the remote ftp server
>>and the local client,
>>- client tries to access port XXX on remote ftp server,
>>- m0n0wall, of course, BLOCKS this connection :-(
>>>>Is there (maybe in beta versions) _any_ possibility to configure
>>>>m0n0wall to serve such actions ?
> I made the assumption that all outgoing connections from your clients (i.e.
> lan subnet) were allowed (m0n0's default config). In that configuration,
> m0n0 will not block *any* outgoing connections, either to 2100 (your remote
> FTP's connect port) or whatever PASV port is assigned to the client.
> If you aren't allowing unrestricted access from your clients to the net I
> fully agree that this isn't going to work. Is there any particular reason
> why you need to prevent your clients having unrestricted net access?
Unfortunately, yes. It is the company policy :-(
>>>I remember doing this on an old ipchains based firewall
>>some years ago
>>>to enable PORT rewriting on 990 - maybe someone else will
>>know how to
>>>do something similar with m0n0?
>>Sorry, what kind of port rewriting do you mean? In case of
>>access to remote ftp servers it works only special ftp proxy,
>>which knows ftp protocol and rewrites it. Do you mean this or
> Exactly as you describe. FTP Proxy.
>>p.s. Of course, it is not needed any ftp proxy if it is
>>enabled all the ports for outbound connections and the ports
>>are translated one-to-one.
> The ports don't need to be translated one-to-one (m0n0 will still do NAT),
> but clients inside your LAN will need to be able to make outgoing
> connections to the remote FTP's PASV port range. If the remote FTP is under
> your control, you may be able to limit the PASV port range it uses and allow
> your clients to make outbound connections in that range. However, if you
> don't have control over the remote FTP, PASV ports can be anywhere from
> 1025-65535 from what I remember.
Of course remote ftp servers are not under my control...
> Hope this helps.
Thanks for such detailed answers,
p.s. Let us wait for extended configuration of ftp-proxy...