[brlug-general] IIS 6.0 PASV ftp through NAT

Shannon Roddy sroddy at gmail.com
Wed Jun 21 11:22:09 CDT 2006 

/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

Not sure how to do it specifically on smoothwall, but here is a thread that
seemed to mention it:
http://community.smoothwall.org/forum/viewtopic.php?t=11031&view=next

Should work like a charm.

On 6/21/06, James Kuhns <james at kuhns-la.com> wrote:
>
> Ok, I may be dreaming but this is what I'm wanting to do...
>
> I have a problem here where I have an IIS 6.0 ftp server sitting in my
> local
> network (192.168.xxx.xxx address).  I have a firewall/router NATTing for
> machines in the local network (Smoothwall Express 2.0, red/green).  I have
> the ftp command channel port and the PASV ports that MS will return
> forwarded to the IIS box.
>
> The problem is that MS' IIS 6.0 ftp server refuses to work in anything
> except for PASV mode - not a bad thing by itself - but since PASV mode
> returns the address of the interface it received the connection on, the
> NATTing gets in the way. i.e. if an outside client connects to the
> external
> address port zzz for ftp and issues a PASV command the server responds
> with
> '227 Entering Passive Mode (192, 168, xxx, xxx, yyy, yyy)', since
> 192.168.xxx.xxx is not accessible from outside the connection fails.
>
> What I'm considering doing is to use the Smoothwall box to rewrite the
> '227
> Entering Passive Mod (192, 168, xxx, xxx, yyy, yyy)' reply to '227
> Entering
> Passive Mode (<external address here>, yyy, yyy)'.  Since snort is already
> on the Smoothwall box I can use a rule to detect the string  but I'm not
> sure how I would go about doing the rewrite as the only action I can find
> that snort will take is to drop/send the packet and then log the fact that
> it detected it.  Does anyone know of any add-ons to snort that will do a
> rewrite like this? Or did I miss something and snort can handle this
> natively?  I've found a few things that are external to snort that will do
> this rewrite (tripp is one), but I can't find any way to make snort call
> them via a rule.
>
> Any other work-around suggestions would be greatly appreciated.
>
> Thanks,
>
> James
>
>
> _______________________________________________
> General mailing list
> General at brlug.net
> http://brlug.net/mailman/listinfo/general_brlug.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://brlug.net/pipermail/general_brlug.net/attachments/20060621/89e05ffd/attachment.htm

More information about the General mailing list