[Shorewall-users] ftp server and passive mode

Tom Eastep teastep@shorewall.net
Mon, 29 Apr 2002 11:30:53 -0700 (Pacific Daylight Time)


On Mon, 29 Apr 2002, Zipleen wrote:

> hi, I recently configured a box for a dedicated firewall using
> shorewall, and after I get all the things right the firewall runs
> smoothly, but as i start to add stuff things tend to go wrong. My
> particular problem is with my ftp server and passive mode. I have in my
> lan a ftp server and i need passive mode activated. I also use another
> port for the ftp server (30021) instead of the default one. I searched
> the mailling list for this kind of problem and found solution. It is
> also reported in netfilter.org but in the mailing list i have found this
>
> You have to pass the non-standard ports to the ip_conntrack_ftp
> ip_nat_ftp modules. In your /etc/modules.conf file:
>
> options ip_nat_ftp ports=3D21,9000
> options ip_conntrack_ftp ports=3D21,9000
>
> ok, so i added the ports=3D in /etc/modules.conf but passive mode
> continued not to work correctly. so I edited /etc/shorewall/modules and
> added ports=3D there. it didn=B4t worked also, so i tryed manually and it
> didn=B4t worked...
>
> PORT runs OK but passive mode doesn=B4t. the workaround i did was to add
> the passive mode ports do the /etc/shorewall/rules but that=B4s not
> good/right ;)
>
> i am using debian 3 (unstable) and using kernel 2.4.18. could anyone
> help me out with this problem ? i must be doing something wrong here...
> oh btw, using ftp server in port 21 also doens=B4t work passive mode!
>

Since ftp.shorewall.net is behind a Shorewall firewall running kernel
2.4.18 and passive mode works fine there, we know that it DOES work.

Does lsmod show that the modules are actually being loaded? The behavior
that you are describing indicates otherwise.

Have you tried more than one client so as to rule out a broken client?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net