Hello, For users on the internal network, the Zope 2.6 FTP server works fine. However, we wish to expand the application to distributed clients over the internet. The hardware used is a CISCO PIX 501 firewall. The current settings are as follows: access-list outside-in permit tcp any host <WAN IP ADDRESS> eq 8021 static (inside,outside) <WAN IP ADDRESS> xxx.xxx.x.xxx netmask 255.255.255.255 0 0 The problem is, I suspect as per the FTP protocol, the client decides the local socket of the data channel (not very good for firewall support). However, I have been successful with other standard FTP servers using similar treatment. Is there a resolution to this issue? Thank you, Robert __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools
add my 2c, it may not mean anything but what the heck,... pix 501 has session / connection problems with (at least) win9x and mac clients and servers. I had problems with http, ftp and smb. The problems were experienced with inside clients connecting to outside (internet) resources, and it seems like your problem are the other way around, but I'd thought I'd mention it. Maybe a google on 501 problems may help you. I had mine switched out for a 506 for this reason. (longshot, but what the heck), good luck. bobb ----- Original Message ----- From: "Robert Jean" <robertjean2@yahoo.com> To: <zope@zope.org> Sent: Sunday, February 22, 2004 1:05 PM Subject: [Zope] FTP and firewall
Hello,
For users on the internal network, the Zope 2.6 FTP server works fine. However, we wish to expand the application to distributed clients over the internet. The hardware used is a CISCO PIX 501 firewall. The current settings are as follows:
access-list outside-in permit tcp any host <WAN IP ADDRESS> eq 8021 static (inside,outside) <WAN IP ADDRESS> xxx.xxx.x.xxx netmask 255.255.255.255 0 0
The problem is, I suspect as per the FTP protocol, the client decides the local socket of the data channel (not very good for firewall support). However, I have been successful with other standard FTP servers using similar treatment. Is there a resolution to this issue?
Thank you, Robert
__________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
On Sun, Feb 22, 2004 at 10:05:22AM -0800, Robert Jean wrote:
The problem is, I suspect as per the FTP protocol, the client decides the local socket of the data channel (not very good for firewall support). However, I have been successful with other standard FTP servers using similar treatment. Is there a resolution to this issue?
You may have to tell the firewall that port 8021 (or whatever you've configured as the Zope FTP port) carries FTP traffic, so that it can do the necessary magic to track FTP connections and dynamically allow data connections established from an FTP control connection. For iptables on Linux this can be done like this (on the FTP server): modprobe ip_conntrack_ftp ports=21,8021 That tells the FTP connection tracking module to watch both port 21 (the default) the 8021 (the Zope FTP port). The Cisco router/firewall may have a corresponding incantation. -- Fred Yankowski fred@ontosys.com tel: +1.630.879.1312 OntoSys, Inc PGP keyID: 7B449345 fax: +1.630.879.1370 www.ontosys.com 38W242 Deerpath Rd, Batavia, IL 60510-9461, USA
Robert Jean wrote at 2004-2-22 10:05 -0800:
... The problem is, I suspect as per the FTP protocol, the client decides the local socket of the data channel (not very good for firewall support). However, I have been successful with other standard FTP servers using similar treatment. Is there a resolution to this issue?
There are several threads in the mailing list archive about firewall configuration for FTP. I got the impression that the problem is solvable. But, (as I never had the problem myself), I do not remember the details. -- Dieter
participants (4)
-
Bobb -
Dieter Maurer -
Fred Yankowski -
Robert Jean