Re: ProFtp behind a Router/Firewall - ISSUE Solved!

From: Greg Broten <broteng_at_no.spam.please>
Date: Fri Feb 22 2008 - 21:09:28 CST

All:
 Of course after I've posted a message, I solved the problem.
When behind an external router proftp wants to know the the
router's address, and uses the following command:

MasqueradeAddress a.b.c.d

With that configured, it works fine.

Greg Broten

On Fri, 2008-02-22 at 19:12 -0700, Greg Broten wrote:
> Help:
>
> I trying to run proftp from behind my firewall/router. If I DMZ the
> Linksys firewall and run a local linux firewall (shorewall in this
> case), it works fine.
> But..... what I really want to do is configure the router/firewall to
> pass the ftp traffic and not have to run a local linux firewall. So,
> I opened up port 21 on the firewall and forwarded it to my linux
> computer. I could login but not issue commands.
>
> At first I got the following error for ls:
>
> 500 Illegal PORT command
> ftp: bind: Address already in use
>
> Chatter on the internet indicated that this maybe a port access error
> for ftp's passive mode (which makes sense), so I added the following
> line to proftd.conf
>
> PassivePorts xxxx-yyyy
>
> And also configured the firewall to forward these ports.
>
> This obviously was a problem. but unfortunately not the only problem, as
> I then got this error:
>
> 425 Unable to build data connection: No route to host
>
> This the internet indicated that I needed to add the following directive
> to the proftpd.conf file:
>
> AllowForeignAddress on
>
> BUT ... once again this didn't solve the problem! I now get this error
> for an ls:
>
> 425 Unable to build data connection: No route to host
>
> Does anyone have configuration like this working? I could easily
> go back to the DMZ/shorewall configuration, but I'm stubborn and would
> like to know why I can't get THIS configuration working!
>
> Greg Broten
>
>
>
>
>
>
>
> --
> I'm interested in upgrading my 28.8 kilobaud internet connection to a
> 1.5 megabit fiberoptic T1 line. Will you be able to provide an IP
> router that's compatible with my token ring ethernet LAN configuration?
>
> To unsubscribe, send a message with the word "unsubscribe" (without the
> quotes) in the body to linux-request@slg.org
> Archives are at http://list.slg.org/
Received on Fri Feb 22 21:09:35 2008

This archive was generated by hypermail 2.1.8 : Fri Feb 22 2008 - 21:09:38 CST