This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Standard FTP in private network

Hi!

I'm trying to config ASL 3.202 so that I can run a FTP server in my private network to be accessable from the "outside".

FTP server IP:   192.168.1.1
ASL internal IP: 192.168.1.254
ASL external IP: 130.83.19.167
masq private LAN on WAN-Interface

First I added a packet filter rule:
All/All -> WAN_Interface/FTP : allow

Then I added a S-/DNAT rule:
All -> WAN_Interface SRCTransl.:none DSTTransl.: FTPserverIP

But (as I assuemed) I doesn't work.   [:(]
Do I have to allow FTP-Control separatley and add another S-/DNAT Rule?   [:S]

Tkx in advance.
Greetings
Chris

This thread was automatically locked due to age.

Parents

0 Andy_01 over 23 years ago

your packet filter rule is wrong, it has to be Any->ftp->FTP Server->allow, DNAT is done before the packet filtering, the packet filter sees the translated address.
Cancel
Vote Up 0 Vote Down

Cancel
0 DerChris over 23 years ago in reply to Andy_01

Tkx.
Good to know.
But it still doesn't work. :-/
Cancel
Vote Up 0 Vote Down

Cancel
0 Andy_01 over 23 years ago in reply to DerChris

check the default gateway of the ftp server, has to be the internal interface of the Astaro.
Cancel
Vote Up 0 Vote Down

Cancel
0 DerChris over 23 years ago in reply to Andy_01

The GW is configured correctly.
Cancel
Vote Up 0 Vote Down

Cancel
0 oliver.desch over 23 years ago in reply to DerChris

f3@Rl3SS,

have a look at the packet filter log to find out
what is being filtered!

read you
o|iver
Cancel
Vote Up 0 Vote Down

Cancel
0 DerChris over 23 years ago in reply to oliver.desch

Hmmmm ...
none of the FTP connections I tried to establish are filteres. So ... packet filtering seems to work correctly ...
Cancel
Vote Up 0 Vote Down

Cancel
0 AKo over 23 years ago in reply to DerChris

Hi,

u set:
Then I added a S-/DNAT rule:
All -> WAN_Interface SRCTransl.:none DSTTransl.: FTPserverIP

I think, this is wrong!? try this: S/DNAT 2FTP

match parameters | src trans | dst trans
any --> WAN_Interface_/FTP --> none ----> ftpserver

rule filter must set to
any | ftp | ftpserver | allow

it runs!(?)
bye
ak
Cancel
Vote Up 0 Vote Down

Cancel
0 DerChris over 23 years ago in reply to AKo

I allready noticed that failure and fixed it. But it still does not work. [:(]

PS: I got the same problem with all forwarded ports. UT Server, CUSeeMe, etc. ...

[size="1"][ 12 August 2002, 11:13: Message edited by: f3@Rl3SS ][/size]
Cancel
Vote Up 0 Vote Down

Cancel
0 DerChris over 23 years ago in reply to DerChris

Doesn't anyone know that problem?
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 23 years ago in reply to DerChris

Try setting a NAT rule ANY/ANY > ftp server IP
Try setting packet rule for ANY packets to anywhere to go through.

People should use PASV mode to connect to the ftpd.

It should work, I've set this up, I'd show you the config but our ISP for that box just collapsed !
Cancel
Vote Up 0 Vote Down

Cancel
0 DerChris over 23 years ago in reply to Simon Shaw

Hmmm ...
But in that case I wouldn't need a Firewall anymore! [:(]
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 23 years ago in reply to DerChris

Get it working first then tighten it.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Simon Shaw over 23 years ago in reply to DerChris

Get it working first then tighten it.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 DerChris over 23 years ago in reply to Simon Shaw

Hmmmm ... I really can't believe it ...
I did what you say, but its still not working.

At the moment, there is one packetfilter rule:
any -> any -> any : allow

I'm masquerading my private network on ASLs WAN-NIC and there is one DNAT rule:

All -> myExternalIP/Any | noSrcTrans | DestTrans: myFTPServer

What am I doing wrong???

[size="1"][ 16 August 2002, 07:50: Message edited by: f3@Rl3SS ][/size]
Cancel
Vote Up 0 Vote Down

Cancel
0 DerChris over 23 years ago in reply to DerChris

ops ... my failure ...
It works with that konfig. (no wonder)

If I enable the packet filtering rules, it doesn't.
Cancel
Vote Up 0 Vote Down

Cancel
0 DerChris over 23 years ago in reply to DerChris

OK ... I found the "bad boy".
It was a filter rule:
Any/Any -> myLAN : DROP

But isn't disabeling that rule insecure?
(i still got the rule: Any/Any -> WAN_Interface_ : DROP )
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 23 years ago in reply to DerChris

By default Astaro denies traffic unless you explicitly allow it.
Rules are also processed in order of their listing. You can play with the rules and come up with good security whilst still allowing your ftpd to run.
Cancel
Vote Up 0 Vote Down

Cancel