RE: [leaf-user] FTP and IP-NAT
Hi people, I got it working. Just opened port 864 by using IP_MASK_FTP port=21,864 his FTP is just running at this port. still don't know what it has to do with IP-NAT but thanks for all suggestions Met vriendelijke groet, Joris Kempen St. Ursulahof 47 5995 CB Kessel email: [EMAIL PROTECTED] tel. nr.: 06 1257 4228 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matthew Schalit Sent: Monday, September 23, 2002 7:24 AM To: [EMAIL PROTECTED] Cc: 'Leaf (E-mail)' Subject: Re: [leaf-user] FTP and IP-NAT First of all, can you login to the ftpd? I figure you can. But when you try to do a directory listing, you get that error. And the error you get from the ftpd server is error message: 501 you are on a LAN and the IP-NAT is not translating your IP address correctly So let's refer to RFC 959, FTP: http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc0959.html on or about page 37-40 we learn how to decode the three decimal digits in the response code, which is formed like xyz, where your response was a 501: 5yz Permanent Negative Completion reply The command was not accepted and the requested action did not take place. The User-process is discouraged from repeating the exact request (in the same sequence). Even some permanent error conditions can be corrected, so the human user may want to direct his User-process to reinitiate the command sequence by direct action at some point in the future (e.g., after the spelling has been changed, or the user has altered his directory status.) x0z Syntax - These replies refer to syntax errors, syntactically correct commands that don't fit any functional category, unimplemented or superfluous commands. xy1 This is a finer grain subcatagory of the xy value, so a 1 in the last digit can mean many things. In the case of 501, the usual meaning is: 501: Syntax error in parameters or arguments. So what the server is trying to tell you is that you sent an invalid PORT command, which was invalid not because of how it was formed but becuase of the values of it's arguments. Something that would cause a PORT command from a client to a server to be invalid would be if the client sent and invalid address, that is, an address from the private non-routeable space like 192.168.1.1. What is supposed to happen is that those invalid addresses are supposed to be munged on the fly by ip_masq_ftp. Do you have ip_masq_ftp installed? # lsmod should list the mods. As far as what your admin said, ignore it. If one of my sysops told me he was going to mess with port 864 and try to run a server on that port, I'd ask if he was sure he didn't want to go into art. If you want to be responsible for your own end, you might check your syslog and paste in any relevant denied packets if any between you and the ftpd, also. Best, Matthew Joris Kempen wrote: Hi people, I talked with the admin of the ftp site. and he told me that port 864 is needed for IP NAT. Can I just open port 864? I have DachStein Echowall, how do I open this port 864. Any links maybe that tell me (in easy language:) what IP-NAT exactly is.. Thanks.. Met vriendelijke groet, Joris Kempen St. Ursulahof 47 5995 CB Kessel email: [EMAIL PROTECTED] tel. nr.: 06 1257 4228 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Joris Kempen Sent: Saturday, September 21, 2002 10:14 AM To: Leaf (E-mail) Subject: [leaf-user] FTP and IP-NAT HI people, I have a Dachstein router with EchoWall and SSH on it. I try connecting to a FTP server and get this message: error message: 501 you are on a LAN and the IP-NAT is not translating your IP address correctly I didn't have this problem before with this server, so i assume they changed something. What do I need to change in my router to prevent this problem? Thanks for any help. Joris Met vriendelijke groet, Joris Kempen St. Ursulahof 47 5995 CB Kessel email: [EMAIL PROTECTED] tel. nr.: 06 1257 4228 --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf --- - leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http
RE: [leaf-user] FTP and IP-NAT
On Sat, 21 Sep 2002, Ray Olszewski wrote: This is a new one to me. I hope someone else will turn out to be familiar with it and post a simple solution, but I wouldn't count on it. (I waited awhile before replying, in this hope.) New to me, too. I am reasonably sure that IP-NAT is just a slightly more exact synonym for NAT. At least every reference I could find used it that way. I assume you know what the ordinary meaning of NAT is. I can't find any reference to the use of port 864 in connection with NAT or IP-NAT (or ftp). Just opening it is unlikely to help you much; something on your router or LAN will need either to send from that port or listen on it -- or maybe accept input *from* it; the advice you report getting is so sketchy that it is hard to guess. The admin's advice doesn't include telling you what his site uses the port for, and I can't find any indication that the use is anything established by any standard ... or at least nothing connected to NAT or ftp. It is possible that they have configured their server to accept ftp control connections on port 864, but I don't see how they could do that without Joris' knowledge and still end up using active ftp. That is, if Joris was accessing the ftp server by clicking on a link in a browser, he might never know they had changed the control connection port. ip_masq_ftp monitors all outgoing connections to port 21 and munges the information about which ip address and port the server can use to make an active data connection back to your box. If you need to connect to ftp servers on port 864, then in /etc/modules, change the following line ip_masq_ftp to ip_masq_ftp ports=21,864 and if that fixes the problem then backup modules.lrp. (The only references to port 864 that I was able to track down are in RFC 768, where 864-UDP is associated with a service called Discard, and with connection to ypserv, which also runs on 864-UDP. You may need to find out what the site expects to receive or send from or to that port.) So ... if someone else jumps in here with an easy answer, that's terrific. If no one does ... then you may be the first one to run into a new problem that we (and Linux-NAT users generally) need to work out a solution for. In that case, the more information you can provide, the better. Yes indeed... in particular, a sample of the exact firewall error messages involved (from /var/log/messages or /var/log/syslog) could be helpful. The other possibility is that this use of port 864 is some oddity specific to the particular ftp site. I've seen a few other cases recently where admins of ftp sites did something short-sighted that caused problems for connections from firewalled sites, and in such cases, there is really no sensible fix other than letting the admin know that it is his problem to fix, not yours. I'm sorry this reply isn't more helpful, and I do hope that someone else who recognizes the problem from your description will respond with more information. At 01:23 PM 9/21/02 +0200, Joris Kempen wrote: Hi people, I talked with the admin of the ftp site. and he told me that port 864 is needed for IP NAT. Can I just open port 864? I have DachStein Echowall, how do I open this port 864. Any links maybe that tell me (in easy language:) what IP-NAT exactly is.. Thanks.. Met vriendelijke groet, Joris Kempen St. Ursulahof 47 5995 CB Kessel email: [EMAIL PROTECTED] tel. nr.: 06 1257 4228 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Joris Kempen Sent: Saturday, September 21, 2002 10:14 AM To: Leaf (E-mail) Subject: [leaf-user] FTP and IP-NAT HI people, I have a Dachstein router with EchoWall and SSH on it. I try connecting to a FTP server and get this message: error message: 501 you are on a LAN and the IP-NAT is not translating your IP address correctly I didn't have this problem before with this server, so i assume they changed something. What do I need to change in my router to prevent this problem? -- ---Never tell me the odds! Ray Olszewski -- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] --- --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- Jeff NewmillerThe . . Go Live...
RE: [leaf-user] FTP and IP-NAT
thanks people for your replies. tommorow I'm going to check out my options to solve this problem Met vriendelijke groet, Joris Kempen St. Ursulahof 47 5995 CB Kessel email: [EMAIL PROTECTED] tel. nr.: 06 1257 4228 -Original Message- From: Jeff Newmiller [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 22, 2002 9:54 PM To: Ray Olszewski Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [leaf-user] FTP and IP-NAT On Sat, 21 Sep 2002, Ray Olszewski wrote: This is a new one to me. I hope someone else will turn out to be familiar with it and post a simple solution, but I wouldn't count on it. (I waited awhile before replying, in this hope.) New to me, too. I am reasonably sure that IP-NAT is just a slightly more exact synonym for NAT. At least every reference I could find used it that way. I assume you know what the ordinary meaning of NAT is. I can't find any reference to the use of port 864 in connection with NAT or IP-NAT (or ftp). Just opening it is unlikely to help you much; something on your router or LAN will need either to send from that port or listen on it -- or maybe accept input *from* it; the advice you report getting is so sketchy that it is hard to guess. The admin's advice doesn't include telling you what his site uses the port for, and I can't find any indication that the use is anything established by any standard ... or at least nothing connected to NAT or ftp. It is possible that they have configured their server to accept ftp control connections on port 864, but I don't see how they could do that without Joris' knowledge and still end up using active ftp. That is, if Joris was accessing the ftp server by clicking on a link in a browser, he might never know they had changed the control connection port. ip_masq_ftp monitors all outgoing connections to port 21 and munges the information about which ip address and port the server can use to make an active data connection back to your box. If you need to connect to ftp servers on port 864, then in /etc/modules, change the following line ip_masq_ftp to ip_masq_ftp ports=21,864 and if that fixes the problem then backup modules.lrp. (The only references to port 864 that I was able to track down are in RFC 768, where 864-UDP is associated with a service called Discard, and with connection to ypserv, which also runs on 864-UDP. You may need to find out what the site expects to receive or send from or to that port.) So ... if someone else jumps in here with an easy answer, that's terrific. If no one does ... then you may be the first one to run into a new problem that we (and Linux-NAT users generally) need to work out a solution for. In that case, the more information you can provide, the better. Yes indeed... in particular, a sample of the exact firewall error messages involved (from /var/log/messages or /var/log/syslog) could be helpful. The other possibility is that this use of port 864 is some oddity specific to the particular ftp site. I've seen a few other cases recently where admins of ftp sites did something short-sighted that caused problems for connections from firewalled sites, and in such cases, there is really no sensible fix other than letting the admin know that it is his problem to fix, not yours. I'm sorry this reply isn't more helpful, and I do hope that someone else who recognizes the problem from your description will respond with more information. At 01:23 PM 9/21/02 +0200, Joris Kempen wrote: Hi people, I talked with the admin of the ftp site. and he told me that port 864 is needed for IP NAT. Can I just open port 864? I have DachStein Echowall, how do I open this port 864. Any links maybe that tell me (in easy language:) what IP-NAT exactly is.. Thanks.. Met vriendelijke groet, Joris Kempen St. Ursulahof 47 5995 CB Kessel email: [EMAIL PROTECTED] tel. nr.: 06 1257 4228 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Joris Kempen Sent: Saturday, September 21, 2002 10:14 AM To: Leaf (E-mail) Subject: [leaf-user] FTP and IP-NAT HI people, I have a Dachstein router with EchoWall and SSH on it. I try connecting to a FTP server and get this message: error message: 501 you are on a LAN and the IP-NAT is not translating your IP address correctly I didn't have this problem before with this server, so i assume they changed something. What do I need to change in my router to prevent this problem? -- ---Never tell me the odds! Ray Olszewski-- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] --- --- This sf.net
Re: [leaf-user] FTP and IP-NAT
First of all, can you login to the ftpd? I figure you can. But when you try to do a directory listing, you get that error. And the error you get from the ftpd server is error message: 501 you are on a LAN and the IP-NAT is not translating your IP address correctly So let's refer to RFC 959, FTP: http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc0959.html on or about page 37-40 we learn how to decode the three decimal digits in the response code, which is formed like xyz, where your response was a 501: 5yz Permanent Negative Completion reply The command was not accepted and the requested action did not take place. The User-process is discouraged from repeating the exact request (in the same sequence). Even some permanent error conditions can be corrected, so the human user may want to direct his User-process to reinitiate the command sequence by direct action at some point in the future (e.g., after the spelling has been changed, or the user has altered his directory status.) x0z Syntax - These replies refer to syntax errors, syntactically correct commands that don't fit any functional category, unimplemented or superfluous commands. xy1 This is a finer grain subcatagory of the xy value, so a 1 in the last digit can mean many things. In the case of 501, the usual meaning is: 501: Syntax error in parameters or arguments. So what the server is trying to tell you is that you sent an invalid PORT command, which was invalid not because of how it was formed but becuase of the values of it's arguments. Something that would cause a PORT command from a client to a server to be invalid would be if the client sent and invalid address, that is, an address from the private non-routeable space like 192.168.1.1. What is supposed to happen is that those invalid addresses are supposed to be munged on the fly by ip_masq_ftp. Do you have ip_masq_ftp installed? # lsmod should list the mods. As far as what your admin said, ignore it. If one of my sysops told me he was going to mess with port 864 and try to run a server on that port, I'd ask if he was sure he didn't want to go into art. If you want to be responsible for your own end, you might check your syslog and paste in any relevant denied packets if any between you and the ftpd, also. Best, Matthew Joris Kempen wrote: Hi people, I talked with the admin of the ftp site. and he told me that port 864 is needed for IP NAT. Can I just open port 864? I have DachStein Echowall, how do I open this port 864. Any links maybe that tell me (in easy language:) what IP-NAT exactly is.. Thanks.. Met vriendelijke groet, Joris Kempen St. Ursulahof 47 5995 CB Kessel email: [EMAIL PROTECTED] tel. nr.: 06 1257 4228 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Joris Kempen Sent: Saturday, September 21, 2002 10:14 AM To: Leaf (E-mail) Subject: [leaf-user] FTP and IP-NAT HI people, I have a Dachstein router with EchoWall and SSH on it. I try connecting to a FTP server and get this message: error message: 501 you are on a LAN and the IP-NAT is not translating your IP address correctly I didn't have this problem before with this server, so i assume they changed something. What do I need to change in my router to prevent this problem? Thanks for any help. Joris Met vriendelijke groet, Joris Kempen St. Ursulahof 47 5995 CB Kessel email: [EMAIL PROTECTED] tel. nr.: 06 1257 4228 --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] FTP and IP-NAT
Hi people, I talked with the admin of the ftp site. and he told me that port 864 is needed for IP NAT. Can I just open port 864? I have DachStein Echowall, how do I open this port 864. Any links maybe that tell me (in easy language:) what IP-NAT exactly is.. Thanks.. Met vriendelijke groet, Joris Kempen St. Ursulahof 47 5995 CB Kessel email: [EMAIL PROTECTED] tel. nr.: 06 1257 4228 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Joris Kempen Sent: Saturday, September 21, 2002 10:14 AM To: Leaf (E-mail) Subject: [leaf-user] FTP and IP-NAT HI people, I have a Dachstein router with EchoWall and SSH on it. I try connecting to a FTP server and get this message: error message: 501 you are on a LAN and the IP-NAT is not translating your IP address correctly I didn't have this problem before with this server, so i assume they changed something. What do I need to change in my router to prevent this problem? Thanks for any help. Joris Met vriendelijke groet, Joris Kempen St. Ursulahof 47 5995 CB Kessel email: [EMAIL PROTECTED] tel. nr.: 06 1257 4228 --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf --- - leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] FTP and IP-NAT
This is a new one to me. I hope someone else will turn out to be familiar with it and post a simple solution, but I wouldn't count on it. (I waited awhile before replying, in this hope.) I am reasonably sure that IP-NAT is just a slightly more exact synonym for NAT. At least every reference I could find used it that way. I assume you know what the ordinary meaning of NAT is. I can't find any reference to the use of port 864 in connection with NAT or IP-NAT (or ftp). Just opening it is unlikely to help you much; something on your router or LAN will need either to send from that port or listen on it -- or maybe accept input *from* it; the advice you report getting is so sketchy that it is hard to guess. The admin's advice doesn't include telling you what his site uses the port for, and I can't find any indication that the use is anything established by any standard ... or at least nothing connected to NAT or ftp. (The only references to port 864 that I was able to track down are in RFC 768, where 864-UDP is associated with a service called Discard, and with connection to ypserv, which also runs on 864-UDP. You may need to find out what the site expects to receive or send from or to that port.) So ... if someone else jumps in here with an easy answer, that's terrific. If no one does ... then you may be the first one to run into a new problem that we (and Linux-NAT users generally) need to work out a solution for. In that case, the more information you can provide, the better. The other possibility is that this use of port 864 is some oddity specific to the particular ftp site. I've seen a few other cases recently where admins of ftp sites did something short-sighted that caused problems for connections from firewalled sites, and in such cases, there is really no sensible fix other than letting the admin know that it is his problem to fix, not yours. I'm sorry this reply isn't more helpful, and I do hope that someone else who recognizes the problem from your description will respond with more information. At 01:23 PM 9/21/02 +0200, Joris Kempen wrote: Hi people, I talked with the admin of the ftp site. and he told me that port 864 is needed for IP NAT. Can I just open port 864? I have DachStein Echowall, how do I open this port 864. Any links maybe that tell me (in easy language:) what IP-NAT exactly is.. Thanks.. Met vriendelijke groet, Joris Kempen St. Ursulahof 47 5995 CB Kessel email: [EMAIL PROTECTED] tel. nr.: 06 1257 4228 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Joris Kempen Sent: Saturday, September 21, 2002 10:14 AM To: Leaf (E-mail) Subject: [leaf-user] FTP and IP-NAT HI people, I have a Dachstein router with EchoWall and SSH on it. I try connecting to a FTP server and get this message: error message: 501 you are on a LAN and the IP-NAT is not translating your IP address correctly I didn't have this problem before with this server, so i assume they changed something. What do I need to change in my router to prevent this problem? -- ---Never tell me the odds! Ray Olszewski -- Han Solo Palo Alto, California, USA[EMAIL PROTECTED] --- --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] FTP and IP-NAT
On Saturday 21 September 2002 12:28, Ray Olszewski wrote: This is a new one to me. I hope someone else will turn out to be familiar with it and post a simple solution, but I wouldn't count on it. (I waited awhile before replying, in this hope.) I'll have to agree with Ray one this one. There is generally a higher port that ftp servers use for multiple traffic requests on the server side of the net (ie... port 1021 is common for Linux ftp server traffic). However you should not need to open anything on your firewall to RECEIVE a requested ftp file. In 2.2 LEAF boxes, udp traffic is not blocked, only tcp which would normally be request instead of a response. The 2.4/iptables LEAF firewalls use connection tracking, so if your client/firewall requested a ftp file it will remember and accept it. The only possible option I can think of an ISP using a different port would be some form of a proxy, which is not typical of any decent ISP that I am aware of. I would have to think that something very fishy is going on with your ISP. Is your ISP running NAT??? This could be the only reason for using a different port for NAT transversal. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
