[plug] outbound rule

W.Kenworthy billk at iinet.net.au
Wed Oct 18 11:47:36 WST 2006


On Wed, 2006-10-18 at 10:20 +0800, Jon Miller wrote:
> What I'm trying to do is get ports 20 and 21 to work.  As I've stated I can see the packet requests coming in on the external interface, but it's not to my knowledge either getting to the server or a return ACK is not getting back to the gateway.  In either case it would be the firewall that is causing this.  What I'm trying to construct is a rule that will allow return ftp packets traffic thru / to the gateway.
> I understand that the data is dynamic so do I have to use a range for the ports?
> 
> Thanks
> 
> >>> billk at iinet.net.au 9:51:19 am 18/10/2006 >>>
> standard ftp uses a dynamicly requested data port - the best way around
> is to use scp/sftp.  In ftp there are two ports involved - a control
> port which is fixed, and data which is dynamic
> 
> BillK
> 
> 
> On Wed, 2006-10-18 at 09:27 +0800, Jon Miller wrote:
> > Drawing a blank here - hate to bother but I need to know the format of a simple outgoing rule from the internal LAN to the either a VPN or the Internet.  
> > We have a server where we need to ftp data to and from a vpn from one site to another.
> > The external interface is eth0 while the internal interface is eth0.
> > Using tethereal I can see packets coming in to the server, but the return isn't working.
> > 
> > Thanks
> > 
> > Jon
> > 
> > 

This is looks like a reasonable explanation: 
http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html

Will PASV mode do what you want?

BillK




More information about the plug mailing list