Re: [lug-nuts] attn Rick - PMFirewall Question

From: Mike Machado (mike@innercite.com)
Date: Fri Jan 07 2000 - 10:52:27 PST


"Lancashire, Andrew" wrote:
>
> Here's the thing:
>
> Using Passive ftp ensures that the source is always starting the TCP
> session. Even though there maybe many TCP sessions started the originating
> SYN packet always comes from the source to the destination. This makes the
> TCP session always established from the inside of the firewall in this case.
> The firewall keeps track of these established sessions and thus allows
> requested data to be received by the client with ftp. Under normal ftp (not
> passive) the get requests are always followed up by the server asking the
> client to listen on a predefined port number. Firewalls do not like this
> because the session doesn't get established from the trusted side (inside).
> So in the case of the firewall not allowing you to ftp data back to the
> client, you may want to ensure your firewall configuration or make sure your
> client is even doing passive mode. To ensure the client is:
>
> $ftp
> ftp> pas
> Passive mode on.
> ftp> open metalab.unc.edu
> Connected to metalab.unc.edu
>
> If anyone has any contradictions to this information I would be glad to
> e-mail the sniffer trace I took before writing this.
>

Sounds right to me!

> Andrew
>
> -----Original Message-----
> From: Mike Machado [mailto:mike@cheapnet.net]
> Sent: Friday, January 07, 2000 10:39 AM
> To: lug-nuts@saclug.org
> Subject: Re: [lug-nuts] attn Rick - PMFirewall Question
>
> On Fri, 7 Jan 2000, Michael Long wrote:
>
> > How do you plan on letting passive ftp though? The return packets open up
> > a new port above 1024 and it's random every time.
> >
>
> But the destination is aways the same. port 20.
>
> > Michael
> >
> > On Fri, 7 Jan 2000, Rick Johnson wrote:
> >
> > >
> > > Hi Adam,
> > >
> > > > Will PMFirewall let me do port fowarding? I've used ipmasqadm in the
> > > > past and it worked well...wouldn't let passive FTP through :<
> > >
> > > The quick answer is no, not yet. But it is possible to add it in
> manually.
> > > Feel free to email me privately and we can talk about it.
> > >
> > > - Rick
> > >
> > >
> ****************************************************************************
> > > * To UNSUBSCRIBE from the list, send a message with "unsubscribe
> lug-nuts"
> > > * in the message body to majordomo@saclug.org. Please direct other
> > > * questions, comments, or problems to lug-nuts-owner@saclug.org.
> > >
> >
> >
> ****************************************************************************
> > * To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
> > * in the message body to majordomo@saclug.org. Please direct other
> > * questions, comments, or problems to lug-nuts-owner@saclug.org.
> >
>
> Mike Machado
> mike@innercite.com
> InnerCite
> Network Specialist
>
> ****************************************************************************
> * To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
> * in the message body to majordomo@saclug.org. Please direct other
> * questions, comments, or problems to lug-nuts-owner@saclug.org.
>
> ****************************************************************************
> * To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
> * in the message body to majordomo@saclug.org. Please direct other
> * questions, comments, or problems to lug-nuts-owner@saclug.org.

-- 
Mike Machado
mike@innercite.com
InnerCite
Network Specialist
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
* in the message body to majordomo@saclug.org. Please direct other
* questions, comments, or problems to lug-nuts-owner@saclug.org.



This archive was generated by hypermail 2b29 : Fri Feb 25 2000 - 14:29:10 PST