FTP acceleration filter exception?
cba...@mctaiken.com
I am trying to get a filter exception(s)that will allow for my FTP
acceleration to work. It works fine with the filters unloaded but fails
when they are active.
I have read 20 + threads on this and keep reading get it to work without
filters then create an exception. However, I cannot find any that show
what the exception should look like.
I have tried the ftp-pasv-st with all to public and host / source set to
any/any and this does not work. I have also tried creating filters for
port 20 and 21 as descibed in TID 29311861 also without success. Does
anyone have something else to try?
Thanks a lot.
Caterina Luppi
you'll have to open all the upper ports (1024-65535) for incoming
packets, and then port 21.
packet type: TCP source port 1024-65535 dest port 1024-65535 Stateful
source IP: any
dest IP: your reverse proxy IP
source interface: public
Dest interface: public (or any)
packet type: TCP source port 1024-65535 dest port 21 Stateful
source IP: any
dest IP: your reverse proxy IP
source interface: public
Dest interface: public (or any)
you can also try the FTP-PORT_PASV_ST exception, because it should work.
--
Cat
NSC Volunteer Sysop
cba...@mctaiken.com
does not work, I tried it with any/any on interfaces and sorce/dest.
On the first exception you listed belo the sorce and dest ports are
high...was this intended? If so I will try anything at this point. I have
never had this much trouble getting a filter exception to work!
I have opened request and respone ports 20 and 21 per TID 2931861 which as
far as i can tell should do the trick as well, right? But it did not.
Caterina Luppi
> I tried the FTP-PORT_PASV_ST exception, because it should work. But it
> does not work, I tried it with any/any on interfaces and sorce/dest.
ok.
> On the first exception you listed belo the sorce and dest ports are
> high...was this intended?
yes.
> If so I will try anything at this point. I have
> never had this much trouble getting a filter exception to work!
try the two exceptions I gave you. They should do it.
> I have opened request and respone ports 20 and 21 per TID 2931861 which as
> far as i can tell should do the trick as well, right? But it did not.
no. These exceptions only work for a specific type of FTP and not
through the reverse proxy. As far as I know, most of the FTP server
nowadays use port different from 20 to transfer the data.
cba...@mctaiken.com
a filter with both ports source/dest at high ports only. I have never seen
that one before.
Thanks again,
CB
Caterina Luppi
Glad it worked!
mcu
I also had trouble with setting up FTP proxy accelerator, but got the
FTP-PORT_PASV_ST exception with source interface = any and destination
interface = public. Why? I don't follow this, but it doesn't matter. I
didn't see this easy instruction anywhere. Put it here to help others.
Your exceptions were the clue that got me going, where they have no
reference to the private interface. (BM 3.9)
Craig Johnson
> I also had trouble with setting up FTP proxy accelerator, but got the
> FTP-PORT_PASV_ST exception with source interface = any and destination
> interface = public. Why? I don't follow this, but it doesn't matter. I
> didn't see this easy instruction anywhere. Put it here to help others.
> Your exceptions were the clue that got me going, where they have no
> reference to the private interface. (BM 3.9)
>
NAT that originate from hosts inside the firewall. However, traffic from
the proxy originates on the server itself, and in this case would be to
and from public. Therefore filter exceptions for proxy services should
be Source: PUBLIC and Dest: Public, and not public/private or
private/public.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***