Firewall Wizards mailing list archives
RE: port in use error....but it is not....
From: Spencer Marshall <Spencer.Marshall () ntl com>
Date: Fri, 27 Aug 1999 09:13:13 +0100
Thank you Devin and Ted for you answers, I implemented the ftp_masq, which helped. I could not restrict the port which was used for the data part of the ftp. I will implement the patch which Ted suggested and report back. A netstat --ip on the ext-firewall indicated ftp-data between the destination and the ftp-gw but a port > 1024 between ftp-gw and the internal machine. Many thanks, Spencer
-----Original Message----- From: Ted Keller [mailto:keller () bfg com] Sent: 26 August 1999 14:16 To: Spencer Marshall Cc: fwtk-users () lists nai com; firewall-wizards () nfr net Subject: Re: port in use error....but it is not.... Spencer, Don't have any suggestions, but I suspect I know what the problem is. ftp opens up a command channel and a data channel. The command channel part is probably working just dandy. The data channel is negotiated using high numbered ports. I suspect this negotiation is failing. There was a patch posted in the archives to disable the high-channel negotiation process and use the standard ftp data port. Possibly that will work here. ted keller On Thu, 26 Aug 1999, Spencer Marshall wrote:[To be removed from this list send the message "unsubscribefwtk-users" in theBODY of a mail message to majordomo () ex tis com.] I have two machines forming my firewall internet | | ppp ext-firewall (fwtk) | 172.16.1.1 | | dmz lan, containing mailserver, webserver etc. | | | 172.16.1.2 int-firewall (ipfwadm) forw with masq | 192.168.4.1 | | mil lan (192.168.) | | -------- internal lan | wk- station 192.168.4.5 default route gw 192.168.4.1 Users telnet from the "internal lan" to the ext-firewalland using the fwtktn-gw go off onto the internet without incident. Myproblem is when usersuse ftp. They ftp from the "internal lan" to theext-firewall where theyuse the ftp-gw to go off onto the internet. Or at leastshould. ftp to thegw is no problem, and making a connection to an internetftp site is also noproblem, but that is all they can do. If they do a get orls, they get theerror PORT 172.16.1.2 mismatch 192.168.4.5 However, if I login to the int-firewall and go from there,all is fine, noerrors. I thought this might have been a problem with theftp ipfwadm ruleson the int-firewall, but they are the same as those fortelnet. I nextlooked at the fwtk netperm-table but the rules are the same(though separateentries) for ftp-gw and tn-gw. I am stumped because everything else seems to work okay,tn-gw, http-gw,cmd-gw, telnet to smap all from 192.168.4.* to 172.16.1.1 all machines including the wk-stations use the following RedHat 5.2 kernel 2.0.36 ext-firewall also has fwtk 2.1 int-firewall also uses ipfwadm Does anyone have any suggestions please. This is driving me potty. Many thanks, Spencer
-----Original Message----- From: Devin Redlich [mailto:devin () pctc com] Sent: 26 August 1999 16:11 To: Spencer Marshall; fwtk-users () lists nai com; firewall-wizards () nfr net Subject: Re: port in use error....but it is not.... At 10:07 AM 8/26/1999 +0100, Spencer Marshall wrote:Users telnet from the "internal lan" to the ext-firewall andusing the fwtktn-gw go off onto the internet without incident. My problemis when usersuse ftp. They ftp from the "internal lan" to theext-firewall where theyuse the ftp-gw to go off onto the internet. Or at leastshould. ftp to thegw is no problem, and making a connection to an internet ftpsite is also noproblem, but that is all they can do. If they do a get orls, they get theerror PORT 172.16.1.2 mismatch 192.168.4.5I strongly suspect you haven't loaded the ftp masquarading module. Some protocols (like ftp, for one) contain the source addr as part of the data portion of the packet. In your case, masquarading is rewriting the source addr in the header, but isn't touching the data, so there is a source addr mismatch. If you load the ftp masquarading module, it'll rewrite the ftp packets on the fly, making everyone happy. See
http://metalab.unc.edu/LDP/HOWTO/mini/IP-Masquerade-3.html#ss3.1 for more info. -- Devin Redlich devin () pctc com
Current thread:
- RE: port in use error....but it is not.... Spencer Marshall (Aug 27)
- <Possible follow-ups>
- RE: port in use error....but it is not.... LeGrow, Matt (Aug 30)