Il giorno ven, 11/01/2013 alle 07.05 -0800, Tom Eastep ha scritto: > On 01/11/2013 05:45 AM, Dario Lesca wrote: > > Hi, I have a web/ftp server into DMZ via proxy arp behind a shorewall > > 4.4.x firewall. > > > > All work fine, also FTP in passive mode, but not in active mode. > > > > I have a old hardware witch put some some time data binary files via ftp > > on my server, sin that does not support passive mode (like ftp.exe of > > winxp also do) and this is my problem. > > > > On my network I have 3 Centos6.3 ftp server (2 for test only): > > 1) on firewall (for test only) > > 2) into LAN via nat (for test only) > > 3) into DMZ via proxyarp (real server) > > > > In shorewall I have this 3 rules: > > 1) FTP(ACCEPT) net fw:1.1.1.1 > > 2) DNAT net loc:192.168.1.250 tcp ftp - 1.1.1.3 > > 3) FTP(ACCEPT) net dmz:1.1.1.2 > > > > Only the server 2 work fine in active and passive mode, only on server 2 > > my old external hardware work and load the data file via PUT and list > > via DIR without timeout. > > > > On server 1 (test server) and 3 (real destination server) the ftp > > transfer data work only in passive mode (tested with ncftp.exe and > > FileZilla on winXP and lftp on client Linux), in active mode (ftp.exe > > winxp) the connection to server with account work, but the subsequent > > PUT and DIR commands goto timeout > > > > Someone have some suggest? > > What do you see in the system log when transfer fails? Have you looked > at http://www.shorewall.net/FTP.html? Yes, I have read this howto .... but not help me.
Note witch the active connection work only to server NAT, and NOT work whit server without NAT (local fw and proxyarp dmz) In the firewall system log I see nothing. This is the tcpdump of my transaction test script to my server in DMZ proxyarp: Script ftp (ftp.exe winxp) > open my.host > user > pass > dir > quit tcpdump output: > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes > 16:43:22.419128 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [S], seq > 987061752, win 64240, options [mss 1460,nop,nop,sackOK], length 0 > 16:43:22.419519 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [S.], seq > 2138978079, ack 987061753, win 14600, options [mss 1460,nop,nop,sackOK], > length 0 > 16:43:22.451208 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [.], ack 1, > win 64240, length 0 > 16:43:22.454465 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq > 1:321, ack 1, win 14600, length 320 > 16:43:22.492989 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq > 1:18, ack 321, win 63920, length 17 > 16:43:22.493290 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [.], ack > 18, win 14600, length 0 > 16:43:22.493491 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq > 321:364, ack 18, win 14600, length 43 > 16:43:22.524427 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq > 18:33, ack 364, win 63877, length 15 > 16:43:22.536785 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq > 364:407, ack 33, win 14600, length 43 > 16:43:22.572189 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq > 33:57, ack 407, win 63834, length 24 > 16:43:22.572674 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq > 407:436, ack 57, win 14600, length 29 > 16:43:22.603948 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq > 57:63, ack 436, win 63805, length 6 > 16:43:22.604273 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq > 4047120893, win 14600, options [mss 1460,sackOK,TS val 153549838 ecr > 0,nop,wscale 7], length 0 > 16:43:22.644203 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [.], ack > 63, win 14600, length 0 > 16:43:23.604254 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq > 4047120893, win 14600, options [mss 1460,sackOK,TS val 153550838 ecr > 0,nop,wscale 7], length 0 > 16:43:25.604288 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq > 4047120893, win 14600, options [mss 1460,sackOK,TS val 153552838 ecr > 0,nop,wscale 7], length 0 > 16:43:29.604286 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq > 4047120893, win 14600, options [mss 1460,sackOK,TS val 153556838 ecr > 0,nop,wscale 7], length 0 > 16:43:37.604409 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq > 4047120893, win 14600, options [mss 1460,sackOK,TS val 153564838 ecr > 0,nop,wscale 7], length 0 > 16:43:53.604521 IP my.host.42.242.20 > rem.host.61.90.1363: Flags [S], seq > 4047120893, win 14600, options [mss 1460,sackOK,TS val 153580838 ecr > 0,nop,wscale 7], length 0 > 16:44:25.605097 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq > 436:507, ack 63, win 14600, length 71 > 16:44:25.780286 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [.], ack > 507, win 63734, length 0 > 16:44:29.731707 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [P.], seq > 63:69, ack 507, win 63734, length 6 > 16:44:29.732083 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [.], ack > 69, win 14600, length 0 > 16:44:29.732463 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [P.], seq > 507:574, ack 69, win 14600, length 67 > 16:44:29.734085 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [F.], seq > 574, ack 69, win 14600, length 0 > 16:44:29.767304 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [F.], seq > 69, ack 574, win 63667, length 0 > 16:44:29.767573 IP my.host.42.251.21 > rem.host.61.90.1362: Flags [.], ack > 70, win 14600, length 0 > 16:44:29.767830 IP rem.host.61.90.1362 > my.host.42.251.21: Flags [.], ack > 575, win 63667, length 0 In the system log of FTP server 3 I see a correct connection with user and password and nothing. On the client (ftp.exe for test) I see this: > ftp> dir > 200 PORT command successful > 425 Could not open data connection to port 1353: Connection timed out > ftp> NOTE: The port is always different. Thanks for help me. -- Dario Lesca - sip:[email protected] (Inviato dal mio Linux Fedora 17 Gnome3) ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
