319 lines
12 KiB
HTML
319 lines
12 KiB
HTML
<!--startcut ======================================================= -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<html>
|
|
<head>
|
|
<META NAME="generator" CONTENT="lgazmail v1.3D.k">
|
|
<TITLE>The Answer Guy 55: FTP Through a "Firewall"</TITLE>
|
|
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
|
|
LINK="#3366FF" VLINK="#A000A0">
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<P> <hr>
|
|
<!-- *** BEGIN navbar *** :::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<p align="center">
|
|
<A HREF="../lg_bytes55.html"><IMG ALT="[ Prev ]"
|
|
SRC="../../gx/navbar/prev.jpg"
|
|
WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
|
|
<IMG ALT="" SRC="../../gx/navbar/left.jpg"
|
|
WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom" >
|
|
<A HREF="../index.html"><IMG ALT="[ Table of Contents ]"
|
|
SRC="../../gx/navbar/toc.jpg"
|
|
WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A>
|
|
<A HREF="../../index.html"><IMG ALT="[ Front Page ]"
|
|
SRC="../../gx/navbar/frontpage.jpg"
|
|
WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
|
|
<A HREF="../../faq/index.html"><IMG ALT="[ FAQ ]"
|
|
SRC="../../gx/navbar/faq.jpg"
|
|
WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
|
|
<IMG ALT="" SRC="../../gx/navbar/right.jpg"
|
|
WIDTH="15" HEIGHT="45" ALIGN="bottom" >
|
|
<A HREF="../lg_tips55.html"><IMG ALT="[ Next ]"
|
|
SRC="../../gx/navbar/next.jpg"
|
|
WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A>
|
|
<!-- *** END navbar *** :::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
</p>
|
|
<P> <hr> <P>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<center>
|
|
<H1><A NAME="answer">
|
|
<img src="../../gx/dennis/qbubble.gif" alt="(?)"
|
|
border="0" align="middle">
|
|
<font color="#B03060">The Answer Guy</font>
|
|
<img src="../../gx/dennis/bbubble.gif" alt="(!)"
|
|
border="0" align="middle">
|
|
</A></H1>
|
|
<BR>
|
|
<H4>By James T. Dennis,
|
|
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
|
|
LinuxCare,
|
|
<A HREF="http://www.linuxcare.com/">http://www.linuxcare.com/</A>
|
|
</H4>
|
|
</center>
|
|
|
|
<p><hr><p>
|
|
<!-- endcut ======================================================= -->
|
|
<!-- begin 17 -->
|
|
<H3 align="left"><img src="../../gx/dennis/qbubble.gif"
|
|
height="50" width="60" alt="(?) " border="0"
|
|
>FTP Through a "Firewall"</H3>
|
|
|
|
|
|
<p><strong>From Jonathan Marshall on Thu, 08 Jun 2000
|
|
</strong></p>
|
|
<!-- ::
|
|
FTP Through a "Firewall"
|
|
~~~~~~~~~~~~~~~~~~~~~~~~
|
|
:: -->
|
|
<P><STRONG>
|
|
I'm having an issue in which im not sure why ftp ing isn't going through
|
|
the linux firewall to our isp that handles all the files. What should I
|
|
check and look for to make sure ftping works through this linux firewall.
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
I have no clue
|
|
thanks
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
Jonathan Marshall
|
|
</STRONG></P>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
Short form: Probably blocking <EM>all</EM> incoming TCP/IP connections
|
|
and failing to use "passive" FTP clients.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
It probably means that your firewall is improperly configured.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
I'm going to guess that you can do some web browsing, and/or
|
|
that ping or some other form of TCP/IP traffic is working between
|
|
your client(s) and the target host (the FTP server).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
In other words I'm going to assume that you are asking specfically
|
|
about why FTP is NOT working because other stuff <EM>is</EM> working. If
|
|
not then the problem could be anywhere in the realm of addressing
|
|
routing, link layer and lower level networking.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
The most common problem where "everything is working except FTP"
|
|
has to do with the way that FTP works. Normal FTP (now sometimes
|
|
called "active" FTP) works something like this:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><ul>
|
|
<li> Your client connects to the FTP server. It sends
|
|
TCP packets to port 21 of the remote. That connection
|
|
is used to control the FTP session. Your commands (like
|
|
'ls' and 'get') are sent over that connection.
|
|
<li> The server makes connections back to your client every
|
|
time it wants to send a stream of data. Thus the 'ls'
|
|
listing that you asked for comes back over a separate TCP
|
|
channel from the control connection.
|
|
</ul></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
This technique plays hell with simplistic packet filtering and
|
|
is why "firewalls" are more complicated than just packet filtering.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
You mention that you are using a Linux "firewall/router." Notice
|
|
that the term "firewall" is pretty vague. It implies that you
|
|
have this system configured to enforce some sort of policies about
|
|
what sorts of traffic it will route into and out of your network.f
|
|
However, that could be anything from some simple ipfwadm or
|
|
ipchains rules through a gamut of different applications proxies,
|
|
"stateful packet filtering" systems, and other software.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
These days a lot of people refer to Linux systems which are
|
|
simple IP masquerading routers as "firewalls." That's really
|
|
a stretch. It seems quite likely that you are running through
|
|
masquerading. If that's the case you should be aware that
|
|
Linux requires a special loadable module in order to support
|
|
normal FTP through a masqueraded route. It may be that the
|
|
module isn't their, or that the kerneld/kmod (dynamic module
|
|
loading mechanisms) aren't properly running or configured,
|
|
etc. You should have your sysadmin check the error logs on
|
|
this "firewall" and look for a file like:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQuote>
|
|
/lib/modules/.../ipv4/ip_masq_ftp.o
|
|
</BLOCKQuote></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
... or for error messages in the logs that refer to such
|
|
a beast. That little gizmo handles the active back "PORT"
|
|
connections from that might be coming from your ISPs FTP
|
|
server.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
So, it sounds like you need to get someone to properly configure
|
|
the firewall if you want to use traditional FTP. It also sounds
|
|
like you have an ISP that has lackluster support (since any
|
|
decent sysadmin should have been able to explain this to you).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Another option is to use "passive mode" FTP. This still stills
|
|
two connections (control and data, as before). However, it
|
|
basically means that the client requests that the server accept
|
|
all of the connections <TT>---</TT> so that no new connections will be
|
|
"inbound" back to the client. Most newer FTP clients will
|
|
support passive mode. If you're using the old "shell mode"
|
|
FTP command try just issuing the command 'passive' at the
|
|
FTP command's prompt. If it responds with a message like:
|
|
"passive mode on" then you should be able to go from there.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Under ncftp (a popular FTP client that's almost more common
|
|
on Linux than the old Berkeley shell mode program) you
|
|
would try the command 'set passive on'
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
In any case search your man pages for "passive" and/or
|
|
"PASV" (the protocol keyword) to see if that helps.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Note that most web browsers default to passive mode for all
|
|
FTP transactions. So one of the common symptoms of this
|
|
problem is that FTP works through a browser and fails
|
|
otherwise.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
There are a number of places where you can read more about
|
|
Linux firewalls. One place to check is:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><DL><DT>
|
|
Linux Administrators FAQ List: Firewalling
|
|
<DD><A HREF="http://www.kalug.lug.net/linux-admin-FAQ/Linux-Admin-FAQ-9.html"
|
|
>http://www.kalug.lug.net/linux-admin-FAQ/Linux-Admin-FAQ-9.html</A>
|
|
</DL></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
... and, of course:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><DL><DT>
|
|
Firewall and Proxy Server HOWTO
|
|
<DD><A HREF="http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html"
|
|
>http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html</A>
|
|
</DL></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
... and the home page of the:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><DL><DT>
|
|
Freefire Projekt Startpage, English, Bernd Eckenfels
|
|
<DD><A HREF="http://sites.inka.de/sites/lina/freefire-l/index.en.html"
|
|
>http://sites.inka.de/sites/lina/freefire-l/index.en.html</A>
|
|
</DL></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
... and Dave Wreski's:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><DL><DT>
|
|
Linux Security Administrator's Guide
|
|
<DD><A HREF="http://www.nic.com/~dave/SecurityAdminGuide/SecurityAdminGuide.html"
|
|
>http://www.nic.com/~dave/SecurityAdminGuide/SecurityAdminGuide.html</A>
|
|
</DL></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
... and a bit about the Sinus Firewall package (which is under the
|
|
GPL):
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><DL><DT>
|
|
SINUS Firewall Page
|
|
<DD><A HREF="http://www.ifi.unizh.ch/ikm/SINUS/firewall"
|
|
>http://www.ifi.unizh.ch/ikm/SINUS/firewall</A>
|
|
</DL></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
... and the Juniper Firewall Toolkit (from Obtuse):
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><DL><DT>
|
|
Juniper
|
|
<DD><A HREF="http://www.obtuse.com/juniper"
|
|
>http://www.obtuse.com/juniper</A>
|
|
</DL></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
... and I'm sure that most of those links lead to many others.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
So, your sysadmin and our ISP have no excuse for not learning more
|
|
about firewalls, packet filtering and how to support simple
|
|
requests and solve simple problems such as this.
|
|
</BLOCKQUOTE>
|
|
|
|
<!-- end 17 -->
|
|
<!--startcut ======================================================= -->
|
|
<P> <hr> </p>
|
|
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
|
|
>Copyright ©</a> 2000, James T. Dennis
|
|
<BR>Published in <I>The Linux Gazette</I> Issue 55 July 2000</H5>
|
|
<H6 ALIGN="center">HTML transformation by
|
|
<A HREF="mailto:star@tuxtops.com">Heather Stern</a> of
|
|
Tuxtops, Inc.,
|
|
<A HREF="http://www.tuxtops.com/">http://www.tuxtops.com/</A>
|
|
</H6>
|
|
<P> <hr>
|
|
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<p align="center">
|
|
<table width="100%" border="0"><tr>
|
|
<td align="right" valign="center"
|
|
><IMG ALT="" SRC="../../gx/navbar/left.jpg"
|
|
WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="middle" border="0">
|
|
<A HREF="../lg_answer55.html"
|
|
><IMG SRC="../../gx/dennis/answertoc.jpg" align="middle"
|
|
ALT="[ Answer Guy Current Index ]" border="0"></A></td>
|
|
<td align="center" valign="center"><A HREF="../lg_answer55.html#greeting"><img align="middle"
|
|
src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A>
|
|
<A HREF="1.html">1</A>
|
|
<A HREF="2.html">2</A>
|
|
<A HREF="3.html">3</A>
|
|
<A HREF="4.html">4</A>
|
|
<A HREF="5.html">5</A>
|
|
<A HREF="6.html">6</A>
|
|
<A HREF="7.html">7</A>
|
|
<A HREF="8.html">8</A>
|
|
<A HREF="9.html">9</A>
|
|
<A HREF="10.html">10</A>
|
|
<A HREF="11.html">11</A>
|
|
<A HREF="12.html">12</A>
|
|
<A HREF="13.html">13</A>
|
|
<br>
|
|
<A HREF="14.html">14</A>
|
|
<A HREF="15.html">15</A>
|
|
<A HREF="16.html">16</A>
|
|
<A HREF="17.html">17</A>
|
|
<A HREF="18.html">18</A>
|
|
<A HREF="19.html">19</A>
|
|
<A HREF="20.html">20</A>
|
|
<A HREF="21.html">21</A>
|
|
<A HREF="22.html">22</A>
|
|
</td>
|
|
<td align="left" valign="center"><A HREF="../../tag/kb.html"
|
|
><IMG SRC="../../gx/dennis/answerpast.jpg" align="middle"
|
|
ALT="[ Index of Past Answers ]" border="0"></A>
|
|
<IMG ALT="" SRC="../../gx/navbar/right.jpg" align="middle"
|
|
WIDTH="14" HEIGHT="45" BORDER="0"></td></tr></table>
|
|
</p>
|
|
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<P> <hr>
|
|
<!-- *** BEGIN navbar *** :::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<p align="center">
|
|
<A HREF="../lg_bytes55.html"><IMG ALT="[ Prev ]"
|
|
SRC="../../gx/navbar/prev.jpg"
|
|
WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
|
|
<IMG ALT="" SRC="../../gx/navbar/left.jpg"
|
|
WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom" >
|
|
<A HREF="../index.html"><IMG ALT="[ Table of Contents ]"
|
|
SRC="../../gx/navbar/toc.jpg"
|
|
WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A>
|
|
<A HREF="../../index.html"><IMG ALT="[ Front Page ]"
|
|
SRC="../../gx/navbar/frontpage.jpg"
|
|
WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
|
|
<A HREF="../../faq/index.html"><IMG ALT="[ FAQ ]"
|
|
SRC="../../gx/navbar/faq.jpg"
|
|
WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
|
|
<IMG ALT="" SRC="../../gx/navbar/right.jpg"
|
|
WIDTH="15" HEIGHT="45" ALIGN="bottom" >
|
|
<A HREF="../lg_tips55.html"><IMG ALT="[ Next ]"
|
|
SRC="../../gx/navbar/next.jpg"
|
|
WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A>
|
|
<!-- *** END navbar *** :::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
</p>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
</BODY></HTML>
|
|
<!--endcut ========================================================= -->
|