Firewall Wizards mailing list archives
RE: port in use error....but it is not....
From: "LeGrow, Matt" <Matt_LeGrow () NAI com>
Date: Mon, 30 Aug 1999 07:54:49 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Restricting the data port would be more useful if you are able to do it in ranges. Otherwise, only one user would be able to use the proxy at a time. Is there is any particular reason you would want to limit the ipfwadm machine's use of high ports for the data channel? Matt LeGrow Network Associates, Inc. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Note: Opinions expressed herein are most certainly NOT that of my employer:-) - -----Original Message----- From: Spencer Marshall [mailto:Spencer.Marshall () ntl com] Sent: Friday, August 27, 1999 4:13 AM To: 'Devin Redlich'; fwtk-users () lists nai com; firewall-wizards () nfr net; 'Ted Keller' Subject: RE: port in use error....but it is not.... Thank you Devin and Ted for you answers, I implemented the ftp_masq, which helped. I could not restrict the port which was used for the data part of the ftp. I will implement the patch which Ted suggested and report back. A netstat --ip on the ext-firewall indicated ftp-data between the destination and the ftp-gw but a port > 1024 between ftp-gw and the internal machine. Many thanks, Spencer
-----Original Message----- From: Ted Keller [mailto:keller () bfg com] Sent: 26 August 1999 14:16 To: Spencer Marshall Cc: fwtk-users () lists nai com; firewall-wizards () nfr net Subject: Re: port in use error....but it is not.... Spencer, Don't have any suggestions, but I suspect I know what the problem is. ftp opens up a command channel and a data channel. The command channel part is probably working just dandy. The data channel is negotiated using high numbered ports. I suspect this negotiation is failing. There was a patch posted in the archives to disable the high-channel negotiation process and use the standard ftp data port. Possibly that will work here. ted keller On Thu, 26 Aug 1999, Spencer Marshall wrote:[To be removed from this list send the message "unsubscribefwtk-users" in theBODY of a mail message to majordomo () ex tis com.] I have two machines forming my firewall internet | | ppp ext-firewall (fwtk) | 172.16.1.1 | | dmz lan, containing mailserver, webserver etc. | | | 172.16.1.2 int-firewall (ipfwadm) forw with masq | 192.168.4.1 | | mil lan (192.168.) | | -------- internal lan | wk- station 192.168.4.5 default route gw 192.168.4.1 Users telnet from the "internal lan" to the ext-firewalland using the fwtktn-gw go off onto the internet without incident. Myproblem is when usersuse ftp. They ftp from the "internal lan" to theext-firewall where theyuse the ftp-gw to go off onto the internet. Or at leastshould. ftp to thegw is no problem, and making a connection to an internetftp site is also noproblem, but that is all they can do. If they do a get orls, they get theerror PORT 172.16.1.2 mismatch 192.168.4.5 However, if I login to the int-firewall and go from there,all is fine, noerrors. I thought this might have been a problem with theftp ipfwadm ruleson the int-firewall, but they are the same as those fortelnet. I nextlooked at the fwtk netperm-table but the rules are the same(though separateentries) for ftp-gw and tn-gw. I am stumped because everything else seems to work okay,tn-gw, http-gw,cmd-gw, telnet to smap all from 192.168.4.* to 172.16.1.1 all machines including the wk-stations use the following RedHat 5.2 kernel 2.0.36 ext-firewall also has fwtk 2.1 int-firewall also uses ipfwadm Does anyone have any suggestions please. This is driving me potty. Many thanks, Spencer
-----Original Message----- From: Devin Redlich [mailto:devin () pctc com] Sent: 26 August 1999 16:11 To: Spencer Marshall; fwtk-users () lists nai com; firewall-wizards () nfr net Subject: Re: port in use error....but it is not.... At 10:07 AM 8/26/1999 +0100, Spencer Marshall wrote:Users telnet from the "internal lan" to the ext-firewall andusing the fwtktn-gw go off onto the internet without incident. My problemis when usersuse ftp. They ftp from the "internal lan" to theext-firewall where theyuse the ftp-gw to go off onto the internet. Or at leastshould. ftp to thegw is no problem, and making a connection to an internet ftpsite is also noproblem, but that is all they can do. If they do a get orls, they get theerror PORT 172.16.1.2 mismatch 192.168.4.5I strongly suspect you haven't loaded the ftp masquarading module. Some protocols (like ftp, for one) contain the source addr as part of the data portion of the packet. In your case, masquarading is rewriting the source addr in the header, but isn't touching the data, so there is a source addr mismatch. If you load the ftp masquarading module, it'll rewrite the ftp packets on the fly, making everyone happy. See
http://metalab.unc.edu/LDP/HOWTO/mini/IP-Masquerade-3.html#ss3.1 for more info. - -- Devin Redlich devin () pctc com -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Crypto Provided by Network Associates <http://www.nai.com> iQA/AwUBN8qbOhzV4nRUHFtQEQIP7wCbBgcbni2ogb92kzuvD7RP5CcdLqwAoNtU 4r2YJRo+8h7sImXHME+2Gthz =VKkD -----END PGP SIGNATURE-----
Current thread:
- RE: port in use error....but it is not.... Spencer Marshall (Aug 27)
- <Possible follow-ups>
- RE: port in use error....but it is not.... LeGrow, Matt (Aug 30)