Good morning Lonnie and all,
Let's write this one off to pilot error. I'm baffled why it didn't work yesterday but works today. But we'll take it.
Sorry for the mis-fire. Thanks for the help!
Take care,
Dan
-----Original Message-----
From: "Lonnie Abelbeck" <li...@lonnie.abelbeck.com>
Sent: Friday, July 28, 2017 8:23am
To: "AstLinux Users Mailing List" <astlinux-users@lists.sourceforge.net>
Subject: Re: [Astlinux-users] Port Forwarding FTP
Hi Dan,
![]()
On Jul 28, 2017, at 5:32 AM, d...@ryson.org wrote:
In the lab, I just tested using the following firewall rule:
It worked as expected.
If it is possible to restrict the allowed source address (other than 0/0) that would be good.
Lonnie
On Jul 28, 2017, at 5:32 AM, d...@ryson.org wrote:
Hi Lonnie,
Thanks for the prompt reply and detailed insight. We'll circle back with feedback on our findings, as requested.
For what it's worth, we've had similar discussions with this client about reliance on FTP. They're slowly replacing it with secure protocols but progress is slow.
Dan
-----Original Message-----
From: "Lonnie Abelbeck" <li...@lonnie.abelbeck.com>
Sent: Thursday, July 27, 2017 9:27pm
To: "AstLinux Users Mailing List" <astlinux-users@lists.sourceforge.net>
Subject: Re: [Astlinux-users] Port Forwarding FTP
Hi Dan,
My first thought is *don't do that* :-) The FTP credentials are not encrypted, easily captured, etc. . Using FTP over a VPN (OpenVPN), or use SFTP (TCP 22) would be much better choices.
If you really, really must allow FTP inbound on the external interface when AstLinux is a NAT firewall you must use "NAT EXT->LAN" of TCP 21 to your internal FTP server. The Linux kernel will automatically apply the FTP helper to track the TCP 20 data channel, so only NAT-forward TCP 21 .
Be sure to remove any "Pass EXT->LAN" TCP 21 rules.
Note that "Pass EXT->LAN" is for non-NAT'ed situations when the networks are routed, not NAT'ed. For example with IPv6 you would use "Pass EXT->LAN". For NAT'ed situations with IPv4 use "NAT EXT->LAN".
Note that with "NAT EXT->LAN" you could make the public TCP port non-standard and forward to the standard TCP 21 internally. I've never tried this, as the FTP helper has to cooperate, so this may or may not work, also depends on the FTP client.
Let us know how it goes.
Lonnie
On Jul 27, 2017, at 7:44 PM, d...@ryson.org wrote:
> All,
>
> I just helped a friend reconfigure an AstLinux installation. Until today, it had been behind a NAT'd router/firewall. This afternoon, we added a NIC card and promoted AstLinux to replace the router/firewall.
>
> All the complicated bits worked fine. However, testing revealed that a simple port forwarding to an internal FTP server (port 21) isn't working. The FTP server is working from within the LAN but we can't access it from the Internet. We enabled EXT=>LAN using the web interface and we can see the rule in iptables but it doesn't seem to work.
>
> I'd appreciate any troubleshooting suggestions.
>
> Thanks,
>
> Dan
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
