illegal ftp port request / ip_nat_ftp

To: debian-firewall@lists.debian.org
Cc: debian-user@lists.debian.org
Subject: illegal ftp port request / ip_nat_ftp
From: Tom - 2Ergo Technical Support <tom.stockton@2ergo.com>
Date: Thu, 24 Feb 2005 17:31:43 +0000
Message-id: <[🔎] 1109266303.10254.33.camel@bobby>

Hi there,

I'm seeing some funny behaviour on one of my debian woody firewalls.  It
manifests itself when making an active ftp connection from a Snatted
client behind the firewall with the following error

ftp> ls
501 Illegal PORT command
ftp: bind: Address already in use

I have the ip_nat_ftp and ip_conntrack_ftp modules loaded and the
following version of iptables

ii  iptables         1.2.6a-5.0woody2 IP packet filter administration
tools for 2.4.4+

I have run ethereal to see what is going on and it appears that the
firewall is modifying the PORT command and sending too many parameters.

ie.

seen on the inside interface of the firewall:

PORT 192,168,1,2,216,207

which is ok

however when seen on the outside interface it appears as:

PORT 10,1,1,2,216,207,207

which has a superfluous '207' parameter

192,168,1,2 - private ip address
10,1,1,2 - public ip address


Any tips / advice / suggestions much appreciated.

Regards

Tom

-- 
Tom - 2Ergo Technical Support <tom.stockton@2ergo.com>

Reply to:

Follow-Ups:
- Re: illegal ftp port request / ip_nat_ftp
  - From: Mike Mestnik <cheako911@yahoo.com>

Prev by Date: Re: RE: Error-Guard Support Request
Next by Date: Re: illegal ftp port request / ip_nat_ftp
Previous by thread: Re: RE: Error-Guard Support Request
Next by thread: Re: illegal ftp port request / ip_nat_ftp
Index(es):
- Date
- Thread