|
If something stops working after you dropped in the firewall, it might be the firewall causing it. How to debug:
service | port | protocol | description |
---|---|---|---|
FTP | 21 | TCP in/out | used by FTP protocol |
SSH | 22 | TCP in/out | secure telnet |
SMTP | 25 | TCP out | email (outbound) |
WHOIS | 43 | TCP out | WHOIS |
DNS | 53 | TCP/UDP out | domainname resolution |
HTTP | 80 | TCP/UDP out | web |
POP | 110 | TCP out | email (inbound) |
IDENT | 113 | ? | sometimes used during POP3 and FTP sessions |
NNTP | 119 | ? | network news (UseNet) |
NTP | 123 | UDP out | time synchronisation |
SSL | 443 | TCP in/out | used by secure websites (including Hotmail and e-banking sites) |
RTSP | 554 | ? | RealPlayer (the Real Time Streaming Protocol) |
H323 | 1720 | ? | Instant Messenger (audio) |
MSN IM | 1863 | ? | Instant Messenger |
MySQL | 3306 | ? | MySQL |
VNC | 5000 | ? | VNC |
Yahoo IM | 5050 | TCP in/out | Instant Messenger |
Some routers permit external traffic on port x to be mapped to port y on an internal machine (eg. a different port number); other routers will forward traffic only to the matching port number on the internal machine (eg. same port number).
Routers apparently translate the IP addresses in inbound FTP packets to match the remote system's external IP address (the internal address appears to be sent by the client). To identify FTP packets, routers may inspect the packet contents (application-level) or by port.
If the router in front of your FTP server does not support application-level address translation, then it probably only supports address translation on port 21 (unless other ports can be defined in the control panel).
Modern FTP clients seem to work with routers doing port translation on ports other than 21, however older FTP clients (such as WS_FTP) seem to have issues. The client typically can login, but gets a timeout on a directory listing. The FTP server log will show PORT 192,168,1,100,8,244 (note the internal IP address). The FTP server presumably tries to send the data to that address which of course fails.
The solution is either to
http://www.dslreports.com/forum/remark%2C965514;root=equip%2C16;mode=flat
http://support.jgaa.com/?cmd=ShowReport&ID=00775