dredmann
asked on
Problems with Passive mode on PROFTP behind firewall
I have a problem where I cannot connect to a proftp server in passive mode behind a firewall, the /var/messages file reports SECURITY VIOLATION: Passive connection from x.x.x.x rejected when the server tries to initiate passive mode.
Non passive mode connections are fine, but I have some customers who need passive mode.
I have set the passive ports directive in proftpd.conf, and ensured that the relevant ports are open on the firewall, but still can't get the server to do anything useful in passive mode. It eventually times out, saying that no transfer has taken place.
Please help.
Non passive mode connections are fine, but I have some customers who need passive mode.
I have set the passive ports directive in proftpd.conf, and ensured that the relevant ports are open on the firewall, but still can't get the server to do anything useful in passive mode. It eventually times out, saying that no transfer has taken place.
Please help.
rcm9445
Try using tcp/ip wrappers to send the packets thru port 80 instead of port 23.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The firewall is by borderware.
The actual message reported is:
1.1.1.1 (gateway-ext.central.smart
I've replaced the ip addresses for security reasons:
1.1.1.1 The host ftp server
2.2.2.2 IP of external side of clients firewall
3.3.3.3 IP of Internal side of our firewall
The ftp connection is being initiated inside the client's firewall.
The actual message reported is:
1.1.1.1 (gateway-ext.central.smart
I've replaced the ip addresses for security reasons:
1.1.1.1 The host ftp server
2.2.2.2 IP of external side of clients firewall
3.3.3.3 IP of Internal side of our firewall
The ftp connection is being initiated inside the client's firewall.
This is exactly the type of thing I was talking about. The firewall intercepts the data traffic, making the ftp server see its IP address as the originating address for the packets.
The only way to solve this problem is to fix your firewall (or perhaps configure proftpd not to be concerned with this, but it's probably a problem for your clients too).
The only way to solve this problem is to fix your firewall (or perhaps configure proftpd not to be concerned with this, but it's probably a problem for your clients too).
ASKER
Chris, how would you suggest that I go about making Proftp not care about the addresses getting changed?
Never used proftp, so I can't tell you. However this firewall behavior is likely to cause problems for your clients too, so the real answer is fixing the firewall. I'd contact the firewall vendor to see if they have a solution to this problem.