[brlug-general] IIS 6.0 PASV ftp through NAT

[James Kuhns]

Ok, I may be dreaming but this is what I'm wanting to do...

I have a problem here where I have an IIS 6.0 ftp server sitting in my local
network (192.168.xxx.xxx address).  I have a firewall/router NATTing for
machines in the local network (Smoothwall Express 2.0, red/green).  I have
the ftp command channel port and the PASV ports that MS will return
forwarded to the IIS box.

The problem is that MS' IIS 6.0 ftp server refuses to work in anything
except for PASV mode - not a bad thing by itself - but since PASV mode
returns the address of the interface it received the connection on, the
NATTing gets in the way. i.e. if an outside client connects to the external
address port zzz for ftp and issues a PASV command the server responds with
'227 Entering Passive Mode (192, 168, xxx, xxx, yyy, yyy)', since
192.168.xxx.xxx is not accessible from outside the connection fails.

What I'm considering doing is to use the Smoothwall box to rewrite the '227
Entering Passive Mod (192, 168, xxx, xxx, yyy, yyy)' reply to '227 Entering
Passive Mode (<external address here>, yyy, yyy)'.  Since snort is already
on the Smoothwall box I can use a rule to detect the string  but I'm not
sure how I would go about doing the rewrite as the only action I can find
that snort will take is to drop/send the packet and then log the fact that
it detected it.  Does anyone know of any add-ons to snort that will do a
rewrite like this? Or did I miss something and snort can handle this
natively?  I've found a few things that are external to snort that will do
this rewrite (tripp is one), but I can't find any way to make snort call
them via a rule.

Any other work-around suggestions would be greatly appreciated.

Thanks,

James