[ Prev ] [ Table of Contents ] [ Front Page ] [ FAQ ] [ Next ]


(?) The Answer Guy (!)


By James T. Dennis, answerguy@ssc.com
LinuxCare, http://www.linuxcare.com/


(?) FTP Through a "Firewall"

From Jonathan Marshall on Thu, 08 Jun 2000

I'm having an issue in which im not sure why ftp ing isn't going through the linux firewall to our isp that handles all the files. What should I check and look for to make sure ftping works through this linux firewall.

I have no clue thanks

Jonathan Marshall

(!) Short form: Probably blocking all incoming TCP/IP connections and failing to use "passive" FTP clients.
It probably means that your firewall is improperly configured.
I'm going to guess that you can do some web browsing, and/or that ping or some other form of TCP/IP traffic is working between your client(s) and the target host (the FTP server).
In other words I'm going to assume that you are asking specfically about why FTP is NOT working because other stuff is working. If not then the problem could be anywhere in the realm of addressing routing, link layer and lower level networking.
The most common problem where "everything is working except FTP" has to do with the way that FTP works. Normal FTP (now sometimes called "active" FTP) works something like this:
This technique plays hell with simplistic packet filtering and is why "firewalls" are more complicated than just packet filtering.
You mention that you are using a Linux "firewall/router." Notice that the term "firewall" is pretty vague. It implies that you have this system configured to enforce some sort of policies about what sorts of traffic it will route into and out of your network.f However, that could be anything from some simple ipfwadm or ipchains rules through a gamut of different applications proxies, "stateful packet filtering" systems, and other software.
These days a lot of people refer to Linux systems which are simple IP masquerading routers as "firewalls." That's really a stretch. It seems quite likely that you are running through masquerading. If that's the case you should be aware that Linux requires a special loadable module in order to support normal FTP through a masqueraded route. It may be that the module isn't their, or that the kerneld/kmod (dynamic module loading mechanisms) aren't properly running or configured, etc. You should have your sysadmin check the error logs on this "firewall" and look for a file like:
/lib/modules/.../ipv4/ip_masq_ftp.o
... or for error messages in the logs that refer to such a beast. That little gizmo handles the active back "PORT" connections from that might be coming from your ISPs FTP server.
So, it sounds like you need to get someone to properly configure the firewall if you want to use traditional FTP. It also sounds like you have an ISP that has lackluster support (since any decent sysadmin should have been able to explain this to you).
Another option is to use "passive mode" FTP. This still stills two connections (control and data, as before). However, it basically means that the client requests that the server accept all of the connections --- so that no new connections will be "inbound" back to the client. Most newer FTP clients will support passive mode. If you're using the old "shell mode" FTP command try just issuing the command 'passive' at the FTP command's prompt. If it responds with a message like: "passive mode on" then you should be able to go from there.
Under ncftp (a popular FTP client that's almost more common on Linux than the old Berkeley shell mode program) you would try the command 'set passive on'
In any case search your man pages for "passive" and/or "PASV" (the protocol keyword) to see if that helps.
Note that most web browsers default to passive mode for all FTP transactions. So one of the common symptoms of this problem is that FTP works through a browser and fails otherwise.
There are a number of places where you can read more about Linux firewalls. One place to check is:
Linux Administrators FAQ List: Firewalling
http://www.kalug.lug.net/linux-admin-FAQ/Linux-Admin-FAQ-9.html
... and, of course:
Firewall and Proxy Server HOWTO
http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html
... and the home page of the:
Freefire Projekt Startpage, English, Bernd Eckenfels
http://sites.inka.de/sites/lina/freefire-l/index.en.html
... and Dave Wreski's:
Linux Security Administrator's Guide
http://www.nic.com/~dave/SecurityAdminGuide/SecurityAdminGuide.html
... and a bit about the Sinus Firewall package (which is under the GPL):
SINUS Firewall Page
http://www.ifi.unizh.ch/ikm/SINUS/firewall
... and the Juniper Firewall Toolkit (from Obtuse):
Juniper
http://www.obtuse.com/juniper
... and I'm sure that most of those links lead to many others.
So, your sysadmin and our ISP have no excuse for not learning more about firewalls, packet filtering and how to support simple requests and solve simple problems such as this.


Copyright © 2000, James T. Dennis
Published in The Linux Gazette Issue 55 July 2000
HTML transformation by Heather Stern of Tuxtops, Inc., http://www.tuxtops.com/


[ Answer Guy Current Index ] greetings   1   2   3   4   5   6   7   8   9   10   11   12   13  
14   15   16   17   18   19   20   21   22  
[ Index of Past Answers ]


[ Prev ] [ Table of Contents ] [ Front Page ] [ FAQ ] [ Next ]