[ale] FTP weirdness

Wed Apr 25 09:19:05 EDT 2001

>channel for command and control (initiated by the client) and an >inbound 
>channel for data (initiated by the server).  Since the data channel >is 
>initiated by the server inward to the client on a priviledged port >(hence 
>penetrating the firewall), admins were forced to open this port for >pretty 
>much anyone.  Passive mode allows the client to initiate both >connections 
>outward thereby closing a potential security hole.

>Unfortunately, Microsoft has not seen fit to implement this >improvement in 
>the technology which is why you Linux works correctly while you MS >does not.

I just tried a session with ws_ftp from a Windows 2000 client using the passive mode, and again the same error.

I wonder if someone has a good (read also simple) IP_Tables or IP_Chains setup that allows Windows ftp clients work with the 2.4.x kernels.

Getting closer...

Regards - Bob Kruger  

At 07:16 AM 4/25/2001 -0400, you wrote:
>Leonard/Joe;
>
>I pulled the man file for ftp and did a search, but could find nothing on 
>"passive
>mode."  I have missed something here...
>
>
>
>"Joseph A. Knapka" wrote:
>
> > Leonard Thornton wrote:
> > >
> > > Is your Linux box you are going through your firewall/NAT box?  With your
> > > Linux clients that work through this box, have you tried setting PASSIVE
> > > mode off and seeing if they work?
> >
>
>
>
> > >
> > > If this box IS a firewall/NAT box, you need to make sure that 
> ftp-data port
> > > is open inbound AND that it is MASQ'd properly.  Look at elofw.sh out on
> > > www.linux.org for an example of how to do this....You can test this by
> > > setting your Linux ftp clients to use ACTIVE mode rather than PASSIVE for
> > > transfers.  If this is your problem, your Linux clients will failed in
> > > ACTIVE mode.
> >
>
>Like I said, the ftp clients for linux boxes in the sub net work 
>fine.  This only
>crops up with the windows machines that also use the firewall.  Before 
>going to the
>new kernel, all worked.
>
>
> >
> > You can also "insmod ip_masq_ftp.o" to get active connections to work
> > properly.
> >
>
>Joe - I think this is only pertinent for the older 2.2.x kernels.  I am 
>still using
>IP chains, though, and compiled the kernel accordingly.
>
>Getting closer....
>
>Bob
>
>--
>To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message 
>body.

The difficult while you wait.....the impossible overnight.

Leonard Thornton
Intelis, Inc.
5960 Crooked Creek Rd
Suite 30
Norcross, GA  30092

Office: 770.825.0032
Fax:            770.825.0028
Cellular:       404.583.5402
Pager:          888.785.9188
Email:          Leonard at Intelis-Inc.net

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.