[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 217
  • Last Modified:

FTP behind Masq firewall

Hello All,
I am running a Redhat 6.0, currently kernel 2.2.5-15 but getting ready to upgrade.  
1)  The system is set up to masq traffic from my internal network.
2)  Accept VPN traffic from MS Clients.
3)  Act as a firewall.
Everything works wonderfully with one exception....  FTP
Whenever anyone on the local net attempts to ftp from a browser it hangs and eventually times out.  Attempts to ftp from the command line in NT can connect, but as soon as a file is requested or an ls is issued the system hangs.  Here is an example:

ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for file list.

And it basically hangs indefinetly at the opening data connection part.
My firewall setting in order with regards to this problem are:

ipchains -M -S 14400 30 300
/sbin/modprobe ip_masq_ftp.o
ipchains -A forward -i $INTERNET_NIC -d $INTERNET_NET -s $LOCAL_NET -j MASQ

Has anyone encountered and/or resolved this problem?
1 Solution
Background:  FTP, like some IRC, Quake, CuSeeMe, and others, uses bidirectional connections.  This means that the remote machine creates a new connection back to your host.  Since a masquarading firewall doesn't know how to forward incoming connections, it just gets refused.

I assume you know this as the "ip_masq_ftp.o" module you load is supposed to solve this problem.  I run Debian Linux (with the "ipmasq" package) and have never had this problem after loading that module.  The only obvious differences is that I "modprobe" after setting the MASQ rule, but that shouldn't make any difference.

Things I can think of to try...

1) "lsmod" to verify that the masq_ftp module has been loaded.
2) Start "iplogger" on your firewall and verify that a return connection
    is being attempted and refused.
3) "ipchains -L" and verify that you don't have any rules that forbid
    the return connection.

If you don't have any luck, the output of "lsmod" and "ipchains -L" would be useful.  If all else fails, you could try using FTP in "pasive mode", since that makes only client->server connections.

-- Brian
MWalterAuthor Commented:
Thanks bcwhite,
You didn't have the exact answer to my problem, but you provided enough information for that eureka moment.  Being that this is a firewall, I had disabled TCP Syn Cookies for everything except the VPN.  This was preventing the ftp server from making any kind of connection.  Once I opened syn cookies in the dynamically assigned prot range everything started working.  Thanks again for the help.

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now