I have the MASQ set up and some forwarding working. For instance, people can access my web server.
On the same computer as my web server is my FTP server. I want to be able to access it from inside my network also. (In the "Port Forwarding" topic, the example has it DMZed outside the network, and then SNATed out, so no traffic stays in.) I want to access it inside because it runs through a very fast switch.
For this reason, I DID NOT set up an SNAT for traffic from my server to the outside. I have no SNATs set up, just the DNATs in (for port forwarding) and the MASQ. It seems to work fine for the HTTP server.
For packet filter rules, I have a few, but they all ALLOW (I have no DROP) rules, and the last rule is ANY-ANY-ANY-ANY (which should allow everything).
The Problem: People can connect to the FTP but once it gets to the part about going into PASV mode, it dies. In the packet filter livelog, I can watch the traffic. For some reason it is dropping tons of packets. This shouldn't be possible with the last rule. These are going out packets mind you. What's even stranger, is that it will except one out-packet, then drop the next one, and at least log-wise, they are identical.
For example:
DROP 192.168.1.x:8000 -> 68.x.x.x:5353 TCP ACK PUSH
ACCEPT 192.168.1.x:8000 -> 68.x.x.x:5353 TCP ACK PUSH
My PASV range on my FTP is set to 3900-3999. 5353 in the
example is the port they connected in on.
Why is it dropping packets like this? Especially if it will accept its twin?
Why would the MASQ not let this packet out?
Shouldn't my ANY-ANY-ANY-ANY rule let it out? (The rules are traversed in number order correct? So if it didn't get let out by my other rules, it should be by the last one?)
I tried even doing the SNAT out, I'm not convinced it was helping.
This thread was automatically locked due to age.
