old-www/LDP/LG/issue55/tag/17.html

<!--startcut ======================================================= -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html>
<head>
<META NAME="generator" CONTENT="lgazmail v1.3D.k">
<TITLE>The Answer Guy 55: FTP Through a "Firewall"</TITLE>
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
	LINK="#3366FF" VLINK="#A000A0">
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<P> <hr> 
<!-- *** BEGIN navbar *** :::::::::::::::::::::::::::::::::::::::::::::::: -->
<p align="center">
<A HREF="../lg_bytes55.html"><IMG ALT="[ Prev ]" 
	SRC="../../gx/navbar/prev.jpg" 
	WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
<IMG ALT="" SRC="../../gx/navbar/left.jpg" 
	WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom" >
<A HREF="../index.html"><IMG ALT="[ Table of Contents ]" 
        SRC="../../gx/navbar/toc.jpg" 
	WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A>
<A HREF="../../index.html"><IMG ALT="[ Front Page ]" 
        SRC="../../gx/navbar/frontpage.jpg" 
	WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
<A HREF="../../faq/index.html"><IMG ALT="[ FAQ ]" 
        SRC="../../gx/navbar/faq.jpg"
	WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
<IMG ALT="" SRC="../../gx/navbar/right.jpg" 
	WIDTH="15" HEIGHT="45" ALIGN="bottom" >
<A HREF="../lg_tips55.html"><IMG ALT="[ Next ]" 
	SRC="../../gx/navbar/next.jpg" 
	WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom"  ></A>
<!-- *** END navbar *** :::::::::::::::::::::::::::::::::::::::::::::::::: -->
</p>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<center>
<H1><A NAME="answer">
	<img src="../../gx/dennis/qbubble.gif" alt="(?)" 
		border="0" align="middle">
	<font color="#B03060">The Answer Guy</font>
	<img src="../../gx/dennis/bbubble.gif" alt="(!)" 
		border="0" align="middle">
</A></H1> 
<BR>
<H4>By James T. Dennis,
	<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
	LinuxCare,
	<A HREF="http://www.linuxcare.com/">http://www.linuxcare.com/</A> 
</H4>
</center>

<p><hr><p>
<!--  endcut ======================================================= -->
<!-- begin 17 -->
<H3 align="left"><img src="../../gx/dennis/qbubble.gif" 
	height="50" width="60" alt="(?) " border="0"
	>FTP Through a "Firewall"</H3>


<p><strong>From Jonathan Marshall on Thu, 08 Jun 2000  
</strong></p>
<!-- ::
FTP Through a "Firewall"
~~~~~~~~~~~~~~~~~~~~~~~~
:: -->
<P><STRONG>
I'm having an issue in which im not sure why ftp ing isn't going through
the linux firewall to our isp that handles all the files. What should I
check and look for to make sure ftping works through this linux firewall.
</STRONG></P>
<P><STRONG>
I have no clue
thanks
</STRONG></P>
<P><STRONG>
Jonathan Marshall
</STRONG></P>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	>
Short form:  Probably blocking <EM>all</EM> incoming TCP/IP connections
and failing to use "passive" FTP clients.
</BLOCKQUOTE>
<BLOCKQUOTE>
It probably means that your firewall is improperly configured.
</BLOCKQUOTE>
<BLOCKQUOTE>
I'm going to guess that you can do some web browsing, and/or
that ping or some other form of TCP/IP traffic is working between
your client(s) and the target host (the FTP server).
</BLOCKQUOTE>
<BLOCKQUOTE>
In other words I'm going to assume that you are asking specfically
about why FTP is NOT working because other stuff <EM>is</EM> working.  If
not then the problem could be anywhere in the realm of addressing
routing, link layer and lower level networking.
</BLOCKQUOTE>
<BLOCKQUOTE>
The most common problem where "everything is working except FTP"
has to do with the way that FTP works.  Normal FTP (now sometimes
called "active" FTP) works something like this:
</BLOCKQUOTE>
<BLOCKQUOTE><ul>
<li> Your client connects to the FTP server.  It sends
TCP packets to port 21 of the remote.  That connection
is used to control the FTP session.  Your commands (like
'ls' and 'get') are sent over that connection.
<li> The server makes connections back to your client every
time it wants to send a stream of data.  Thus the 'ls'
listing that you asked for comes back over a separate TCP
channel from the control connection.
</ul></BLOCKQUOTE>
<BLOCKQUOTE>
This technique plays hell with simplistic packet filtering and
is why "firewalls" are more complicated than just packet filtering.
</BLOCKQUOTE>
<BLOCKQUOTE>
You mention that you are using a Linux "firewall/router."  Notice
that the term "firewall" is pretty vague.  It implies that you
have this system configured to enforce some sort of policies about
what sorts of traffic it will route into and out of your network.f
However, that could be anything from some simple ipfwadm or
ipchains rules through a gamut of different applications proxies,
"stateful packet filtering" systems, and other software.
</BLOCKQUOTE>
<BLOCKQUOTE>
These days a lot of people refer to Linux systems which are
simple IP masquerading routers as "firewalls." That's really
a stretch.  It seems quite likely that you are running through
masquerading.  If that's the case you should be aware that
Linux requires a special loadable module in order to support
normal FTP through a masqueraded route.  It may be that the
module isn't their, or that the kerneld/kmod (dynamic module
loading mechanisms) aren't properly running or configured,
etc.  You should have your sysadmin check the error logs on
this "firewall" and look for a file like:
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQuote>
/lib/modules/.../ipv4/ip_masq_ftp.o
</BLOCKQuote></BLOCKQUOTE>
<BLOCKQUOTE>
... or for error messages in the logs that refer to such
a beast.  That little gizmo handles the active back "PORT"
connections from that might be coming from your ISPs FTP
server.
</BLOCKQUOTE>
<BLOCKQUOTE>
So, it sounds like you need to get someone to properly configure
the firewall if you want to use traditional FTP.  It also sounds
like you have an ISP that has lackluster support (since any
decent sysadmin should have been able to explain this to you).
</BLOCKQUOTE>
<BLOCKQUOTE>
Another option is to use "passive mode" FTP.  This still stills
two connections (control and data, as before).  However, it
basically means that the client requests that the server accept
all of the connections <TT>---</TT> so that no new connections will be
"inbound" back to the client.  Most newer FTP clients will
support passive mode.  If you're using the old "shell mode"
FTP command try just issuing the command 'passive' at the
FTP command's prompt.  If it responds with a message like:
"passive mode on" then you should be able to go from there.
</BLOCKQUOTE>
<BLOCKQUOTE>
Under ncftp (a popular FTP client that's almost more common
on Linux than the old Berkeley shell mode program) you
would try the command 'set passive on'
</BLOCKQUOTE>
<BLOCKQUOTE>
In any case search your man pages for "passive" and/or
"PASV" (the protocol keyword) to see if that helps.
</BLOCKQUOTE>
<BLOCKQUOTE>
Note that most web browsers default to passive mode for all
FTP transactions.  So one of the common symptoms of this
problem is that FTP works through a browser and fails
otherwise.
</BLOCKQUOTE>
<BLOCKQUOTE>
There are a number of places where you can read more about
Linux firewalls.  One place to check is:
</BLOCKQUOTE>
<BLOCKQUOTE><DL><DT>
Linux Administrators FAQ List: Firewalling
<DD><A HREF="http://www.kalug.lug.net/linux-admin-FAQ/Linux-Admin-FAQ-9.html"
	>http://www.kalug.lug.net/linux-admin-FAQ/Linux-Admin-FAQ-9.html</A>
</DL></BLOCKQUOTE>
<BLOCKQUOTE>
... and, of course:
</BLOCKQUOTE>
<BLOCKQUOTE><DL><DT>
Firewall and Proxy Server HOWTO
<DD><A HREF="http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html"
	>http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html</A>
</DL></BLOCKQUOTE>
<BLOCKQUOTE>
... and the home page of the:
</BLOCKQUOTE>
<BLOCKQUOTE><DL><DT>
Freefire Projekt Startpage, English, Bernd Eckenfels
<DD><A HREF="http://sites.inka.de/sites/lina/freefire-l/index.en.html"
	>http://sites.inka.de/sites/lina/freefire-l/index.en.html</A>
</DL></BLOCKQUOTE>
<BLOCKQUOTE>
... and Dave Wreski's:
</BLOCKQUOTE>
<BLOCKQUOTE><DL><DT>
Linux Security Administrator's Guide
<DD><A HREF="http://www.nic.com/~dave/SecurityAdminGuide/SecurityAdminGuide.html"
	>http://www.nic.com/~dave/SecurityAdminGuide/SecurityAdminGuide.html</A>
</DL></BLOCKQUOTE>
<BLOCKQUOTE>
... and a bit about the Sinus Firewall package (which is under the
GPL):
</BLOCKQUOTE>
<BLOCKQUOTE><DL><DT>
SINUS Firewall Page
<DD><A HREF="http://www.ifi.unizh.ch/ikm/SINUS/firewall"
	>http://www.ifi.unizh.ch/ikm/SINUS/firewall</A>
</DL></BLOCKQUOTE>
<BLOCKQUOTE>
... and the Juniper Firewall Toolkit (from Obtuse):
</BLOCKQUOTE>
<BLOCKQUOTE><DL><DT>
Juniper
<DD><A HREF="http://www.obtuse.com/juniper"
	>http://www.obtuse.com/juniper</A>
</DL></BLOCKQUOTE>
<BLOCKQUOTE>
... and I'm sure that most of those links lead to many others.
</BLOCKQUOTE>
<BLOCKQUOTE>
So, your sysadmin and our ISP have no excuse for not learning more
about firewalls, packet filtering and how to support simple
requests and solve simple problems such as this.
</BLOCKQUOTE>

<!-- end 17 -->
<!--startcut ======================================================= -->
<P> <hr> </p>
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
	>Copyright &copy;</a> 2000, James T. Dennis 
<BR>Published in <I>The Linux Gazette</I> Issue 55 July 2000</H5>
<H6 ALIGN="center">HTML transformation  by
	<A HREF="mailto:star@tuxtops.com">Heather Stern</a> of
	Tuxtops, Inc.,
	<A HREF="http://www.tuxtops.com/">http://www.tuxtops.com/</A> 
</H6>
<P> <hr> 
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
<p align="center">
<table width="100%" border="0"><tr>
<td align="right" valign="center"
	><IMG ALT="" SRC="../../gx/navbar/left.jpg"
        WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="middle" border="0">
<A HREF="../lg_answer55.html"
	><IMG SRC="../../gx/dennis/answertoc.jpg" align="middle"
              ALT="[ Answer Guy Current Index ]" border="0"></A></td>
<td align="center" valign="center"><A HREF="../lg_answer55.html#greeting"><img align="middle"
	src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A> &nbsp;
  <A HREF="1.html">1</A> &nbsp;
  <A HREF="2.html">2</A> &nbsp;
  <A HREF="3.html">3</A> &nbsp;
  <A HREF="4.html">4</A> &nbsp;
  <A HREF="5.html">5</A> &nbsp;
  <A HREF="6.html">6</A> &nbsp;
  <A HREF="7.html">7</A> &nbsp;
  <A HREF="8.html">8</A> &nbsp;
  <A HREF="9.html">9</A> &nbsp;
  <A HREF="10.html">10</A> &nbsp;
  <A HREF="11.html">11</A> &nbsp;
  <A HREF="12.html">12</A> &nbsp;
  <A HREF="13.html">13</A> &nbsp;
<br>
  <A HREF="14.html">14</A> &nbsp;
  <A HREF="15.html">15</A> &nbsp;
  <A HREF="16.html">16</A> &nbsp;
  <A HREF="17.html">17</A> &nbsp;
  <A HREF="18.html">18</A> &nbsp;
  <A HREF="19.html">19</A> &nbsp;
  <A HREF="20.html">20</A> &nbsp;
  <A HREF="21.html">21</A> &nbsp;
  <A HREF="22.html">22</A> &nbsp;
</td>
<td align="left" valign="center"><A HREF="../../tag/kb.html"
	><IMG SRC="../../gx/dennis/answerpast.jpg" align="middle"
              ALT="[ Index of Past Answers ]" border="0"></A>
<IMG ALT="" SRC="../../gx/navbar/right.jpg" align="middle"
        WIDTH="14" HEIGHT="45" BORDER="0"></td></tr></table>
</p>
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
<P> <hr> 
<!-- *** BEGIN navbar *** :::::::::::::::::::::::::::::::::::::::::::::::: -->
<p align="center">
<A HREF="../lg_bytes55.html"><IMG ALT="[ Prev ]" 
	SRC="../../gx/navbar/prev.jpg" 
	WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
<IMG ALT="" SRC="../../gx/navbar/left.jpg" 
	WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom" >
<A HREF="../index.html"><IMG ALT="[ Table of Contents ]" 
        SRC="../../gx/navbar/toc.jpg" 
	WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A>
<A HREF="../../index.html"><IMG ALT="[ Front Page ]" 
        SRC="../../gx/navbar/frontpage.jpg" 
	WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
<A HREF="../../faq/index.html"><IMG ALT="[ FAQ ]" 
        SRC="../../gx/navbar/faq.jpg"
	WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
<IMG ALT="" SRC="../../gx/navbar/right.jpg" 
	WIDTH="15" HEIGHT="45" ALIGN="bottom" >
<A HREF="../lg_tips55.html"><IMG ALT="[ Next ]" 
	SRC="../../gx/navbar/next.jpg" 
	WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom"  ></A>
<!-- *** END navbar *** :::::::::::::::::::::::::::::::::::::::::::::::::: -->
</p>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
</BODY></HTML>
<!--endcut ========================================================= -->