[plug] outbound rule
W.Kenworthy
billk at iinet.net.au
Wed Oct 18 11:47:36 WST 2006
On Wed, 2006-10-18 at 10:20 +0800, Jon Miller wrote:
> What I'm trying to do is get ports 20 and 21 to work. As I've stated I can see the packet requests coming in on the external interface, but it's not to my knowledge either getting to the server or a return ACK is not getting back to the gateway. In either case it would be the firewall that is causing this. What I'm trying to construct is a rule that will allow return ftp packets traffic thru / to the gateway.
> I understand that the data is dynamic so do I have to use a range for the ports?
>
> Thanks
>
> >>> billk at iinet.net.au 9:51:19 am 18/10/2006 >>>
> standard ftp uses a dynamicly requested data port - the best way around
> is to use scp/sftp. In ftp there are two ports involved - a control
> port which is fixed, and data which is dynamic
>
> BillK
>
>
> On Wed, 2006-10-18 at 09:27 +0800, Jon Miller wrote:
> > Drawing a blank here - hate to bother but I need to know the format of a simple outgoing rule from the internal LAN to the either a VPN or the Internet.
> > We have a server where we need to ftp data to and from a vpn from one site to another.
> > The external interface is eth0 while the internal interface is eth0.
> > Using tethereal I can see packets coming in to the server, but the return isn't working.
> >
> > Thanks
> >
> > Jon
> >
> >
This is looks like a reasonable explanation:
http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html
Will PASV mode do what you want?
BillK
More information about the plug
mailing list