Re: FTP thro' firewall
On Tue, Aug 28, 2001 at 02:25:42PM -0400, Chris Wagner wrote:
> The WS FTP thingy you're refering to is for going through
> proxies. Some folks just don't know the difference between
> firewalls and proxies. :) To do this just set up port
Indeed. That's partially because in WS_FTP/CuteFTP etc., the
proxy options are in the config section called "Firewall."
> forwarding on the firewall. Use ipchains or something and
> only allow ftp connections from your known boxes to pass
> through. Allow nothing from the jungle side. You should then
> be able to transparently connect to the outside world.
You only need "portforwarding" on the firewall if you want to
have an FTP server on the inside of the firewall and you're
doing IP masquerading/NAT or something.
Also, the above config would only allow passive FTP.
I don't know what "Mandrake SNF" is, but if you can install a
2.4 kernel on it, you could use iptables instead of ipchains.
This means you can use the stateful inspection features to allow
active and passive FTP through the firewall.
The other option is to install an ftp proxy (no, not Squid) on
the firewall. Two examples of ftp proxies are the one from the
SuSE proxy suite (which, last time I looked consisted only of
the ftp proxy) and ftp-gw from the TIS firewall toolkit.
Btw, I've just checked and there is a package in testing called
ftp-proxy (maybe in stable too?) which contains the SuSE proxy
suite ftp proxy. It should be available for Mandrake too, or
just compile it from source.
If people are using WS_FTP to ftp through the firewall, there
may well be a proxy installed already. Have a look in the
"Firewall" config of WS_FTP to see what they have there.
To use the above mentioned ftp proxies from the command line ftp
clients, use "firstname.lastname@example.org" as the "username"
and then the password of the real FTP server for the password:
$ ftp firewall.example.com
220 firewall FTP proxy ready
331- Gatewaying to ftp.debian.org.
331 Guest login ok, send your complete e-mail address as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
or something like that :)
> At 12:58 PM 8/28/01 +0000, Martin WHEELER wrote:
> >Given a small local network, with nodes using a variety of
> >OSes (Winx; SuSE; Debian), and a firewall using Mandrake SNF,
> >how does one FTP thro' the firewall (safely) from one of the
> >Debian (kernel 2.2.19) nodes?
> >Or is this a complete no-no?
> >Apparently the Win version of WS FTP has some sort of
> >arrangement to allow this -- I can't seem to find any
> >documentation to allow it under Debian 2.2r3+testing.