[Shorewall-users] passive ftp transfers on non standard ports

Steve Estes estess@bellatlantic.net
Mon, 7 Jan 2002 15:45:09 -0500

msn does direct connects for file transfer and voice connections. When your
friend sends you a file, his machine sends you his external ip to connect
to. So long as your friend is not behind a firewall, this works fine. When
you try to send a file to your friend, your machine sends your internal ip
to your friend's machine which he cannot connect to. Since this ip is sent
as part of the transfer data, the NATing of the firewall does not see it and
correct it. Voice seems to do a connection in each direction so even if only
one of you is behind a firewall you can't connect. But so long as only one
of you is behind a firewall, I find that AOL's AIM can still transfer files
and do voice chat. If you are both behind firewalls, you are screwed for AIM
and MSN. I don't know if ICQ can do file/voice transfers through firewalls
or not. My friend and I are currently both behind shorewall firewalls so we
are working to get FreeS/WAN to connect our two networks together in one
happy WAN at which point we believe the MSG/AIM connections will once again


----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "jos not to know by everybody" <macaronipizza@hotmail.com>;
Sent: Monday, January 07, 2002 3:30 PM
Subject: Re: [Shorewall-users] passive ftp transfers on non standard ports

On Monday 07 January 2002 12:01 pm, jos not to know by everybody wrote:
> hello,
> I got a machine running RH 7.2 with shorewall 1.2.0, connected to a cable
> modem and my home network.
> when i used the standard configuration file's for two interfaces, it
> like a charm, But (there is allways a but) i got 2 things iam trying to
> solve:
> 1. i dont seem to be able to use ftp passive transfer when using
> non-standard ports (ie:  an ftp server on port 9000).

You have to pass the non-standard ports to the ip_conntrack_ftp and
ip_nat_ftp modules. In your /etc/modules.conf file:

options ip_nat_ftp ports=21,9000
options ip_conntrack_ftp ports=21,9000

> 2. MSN file transfers.. i cant send myself, but i can receive.

No clue -- I don't use MSN. Are you seeing any Shorewall messages logged?

Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net
Shorewall-users mailing list