8. Network problems

8.1 General

If you are running frox on a machine on your default route, and with little or no firewalling between it and either the outside world or your internal network you should not have network problems. Because of the nature of the ftp protocol though, if your setup is more complicated than this then you may run into difficulties.

The easiest way of checking that your network setup isn't what is causing the problems is to (temporarily if you wish) run an ftp server on the machine which runs frox. If you can't ftp from your clients to this server and retrieve files O.K. then your clients won't be able to ftp to frox either. Also try running an ftp client on the frox machine and connecting to a server in the outside world. If this doesn't work then frox obviously won't be able to do this either.

8.2 Control connection problems

With a control connection problem your clients will not be able to connect to ftp servers through frox at all. If transparently proxying then check that outgoing tcp traffic is being redirected to frox without changing the destination address (ie. you must route it there, not use DNAT), and that the machine running frox can make a tcp connection to the outside world successfully

8.3 Data connection problems

If the problem is with the data connection then your clients will be able to connect to the ftp server, login, and do things like print the current working directory. File retrievals and directory listings will fail, though you may find that passive mode ftp works and active doesn't, or visa versa.

If you are having these problems I strongly reccomend that you set TransparentData to no, and ApConv to yes in the config file. The frox machine must be able to make tcp connections on any port to the outside world. It should also be possible to establish tcp connections in either direction between the frox machine and the client machines, and with no NAT being performed on these connections. With this setup you shouldn't have any problems.

The above suggestions aren't strictly necessary, but things get more complicated without them.

• ApConv = no: Either incoming tcp connections must be allowed from the outside world to the machine running frox, or they must be prevented only by a NATed (IP masquerading) firewall which is configured to allow ftp connections (eg. linux + ipt_nat_ftp.o module)
• If frox cannot make tcp connections to the client then clients are limited to passive mode ftp.
• If clients cannot make arbitrary tcp connections to frox then they are limited to active mode ftp.
• NAT between client and frox: If DNAT occurs when the client connects to frox (ie. the client makes the connection to a different IP to that which the packets frox eventually receives are addressed to then you should set PASVAddress to the IP which the clients should use. NB. This option doesn't actually exist yet, but let me know if you need it and I'll consider adding it.
• TransparentData = yes: This can make things really unpleasant. Are you sure you need it? These are the problems which spring to mind...
  • Frox should be in your default route for outgoing tcp traffic. If you are using policy based routing to route only port 21 tcp traffic to frox then TransparentData will not work.
  • Beware that frox will make connections to your clients that purport to be from arbitrary hosts outside your network. If there is a firewall/router between your frox and your clients with IP spoofing protection it must let these packets through.
  • Have another read of SECURITY to remind yourself of the extra risks you are taking.