RE: port in use error....but it is not....

["LeGrow, Matt" <Matt_LeGrow () NAI com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Restricting the data port would be more useful if you are able to do
it in ranges. Otherwise, only one user would be able to use the proxy
at a time.  Is there is any particular reason you would want to limit
the ipfwadm machine's use of high ports for the data channel?


Matt LeGrow
Network Associates, Inc.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Note: Opinions expressed herein are most certainly NOT that of my
employer:-)


- -----Original Message-----
From: Spencer Marshall [mailto:Spencer.Marshall () ntl com]
Sent: Friday, August 27, 1999 4:13 AM
To: 'Devin Redlich'; fwtk-users () lists nai com;
firewall-wizards () nfr net;
'Ted Keller'
Subject: RE: port in use error....but it is not....



Thank you Devin and Ted for you answers,  I implemented the ftp_masq,
which
helped.  I could not restrict the port which was used for the data
part of
the ftp.  I will implement the patch which Ted suggested and report
back.  A
netstat --ip on the ext-firewall indicated ftp-data between the
destination
and the ftp-gw but a port > 1024 between ftp-gw and the internal
machine.

Many thanks,

Spencer

> -----Original Message-----
> From: Ted Keller [mailto:keller () bfg com]
> Sent: 26 August 1999 14:16
> To: Spencer Marshall
> Cc: fwtk-users () lists nai com; firewall-wizards () nfr net
> Subject: Re: port in use error....but it is not....
>
>
> Spencer,
>
> Don't have any suggestions, but I suspect I know what the problem
> is.  
>
> ftp opens up a command channel and a data channel.  The 
> command channel
> part is probably working just dandy.  The data channel is 
> negotiated using
> high numbered ports.  I suspect this negotiation is failing.
>
> There was a patch posted in the archives to disable the
> high-channel negotiation process and use the standard ftp data
> port.  Possibly that will work here.  
>
> ted keller
>
>
> On Thu, 26 Aug 1999, Spencer Marshall wrote:
>
> > [To be removed from this list send the message "unsubscribe 
> fwtk-users" in the
> > BODY of a mail message to majordomo () ex tis com.]
> >
> >
> > I have two machines forming my firewall
> >
> > internet
> >    |
> >    | ppp
> > ext-firewall (fwtk)
> >    | 172.16.1.1
> >    |
> >    | dmz lan, containing mailserver, webserver etc.
> >    |
> >    |
> >    | 172.16.1.2
> > int-firewall (ipfwadm) forw with masq
> >    | 192.168.4.1
> >    |
> >    | mil lan (192.168.)
> >    |
> >    |
> > -------- internal lan
> >      |
> > wk- station 192.168.4.5 default route gw 192.168.4.1
> >
> > Users telnet from the "internal lan" to the ext-firewall 
> and using the fwtk
> > tn-gw go off onto the internet without incident.  My 
> problem is when users
> > use ftp.  They ftp from the "internal lan" to the 
> ext-firewall where they
> > use the ftp-gw to go off onto the internet.  Or at least 
> should.  ftp to the
> > gw is no problem, and making a connection to an internet 
> ftp site is also no
> > problem, but that is all they can do.  If they do a get or 
> ls, they get the
> > error
> > PORT 172.16.1.2 mismatch 192.168.4.5
> > However, if I login to the int-firewall and go from there, 
> all is fine, no
> > errors.  I thought this might have been a problem with the 
> ftp ipfwadm rules
> > on the int-firewall, but they are the same as those for 
> telnet.  I next
> > looked at the fwtk netperm-table but the rules are the same 
> (though separate
> > entries) for ftp-gw and tn-gw.
> >
> > I am stumped because everything else seems to work okay, 
> tn-gw, http-gw,
> > cmd-gw, telnet to smap all from 192.168.4.* to 172.16.1.1
> >
> > all machines including the wk-stations use the following
> > RedHat 5.2
> > kernel 2.0.36
> >
> > ext-firewall also has fwtk 2.1
> >
> > int-firewall also uses ipfwadm
> >
> > Does anyone have any suggestions please.  This is driving me
> > potty.  
> >
> > Many thanks,
> >
> > Spencer

> -----Original Message-----
> From: Devin Redlich [mailto:devin () pctc com]
> Sent: 26 August 1999 16:11
> To: Spencer Marshall; fwtk-users () lists nai com; 
> firewall-wizards () nfr net
> Subject: Re: port in use error....but it is not....
>
>
> At 10:07 AM 8/26/1999 +0100, Spencer Marshall wrote:
> > Users telnet from the "internal lan" to the ext-firewall and 
> using the fwtk
> > tn-gw go off onto the internet without incident.  My problem 
> is when users
> > use ftp.  They ftp from the "internal lan" to the 
> ext-firewall where they
> > use the ftp-gw to go off onto the internet.  Or at least 
> should.  ftp to the
> > gw is no problem, and making a connection to an internet ftp 
> site is also no
> > problem, but that is all they can do.  If they do a get or 
> ls, they get the
> > error
> > PORT 172.16.1.2 mismatch 192.168.4.5
>
> I strongly suspect you haven't loaded the ftp masquarading 
> module.  Some
> protocols (like ftp, for one) contain the source addr as part 
> of the data
> portion of the packet.  In your case, masquarading is 
> rewriting the source
> addr in the header, but isn't touching the data, so there is 
> a source addr
> mismatch.  If you load the ftp masquarading module, it'll 
> rewrite the ftp
> packets on the fly, making everyone happy.
>
> See 
http://metalab.unc.edu/LDP/HOWTO/mini/IP-Masquerade-3.html#ss3.1 for
more info.

- -- 
Devin Redlich
devin () pctc com

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Crypto Provided by Network Associates <http://www.nai.com>

iQA/AwUBN8qbOhzV4nRUHFtQEQIP7wCbBgcbni2ogb92kzuvD7RP5CcdLqwAoNtU
4r2YJRo+8h7sImXHME+2Gthz
=VKkD
-----END PGP SIGNATURE-----