Answers in this category:
Are entries in my commit.conf file protected during an upgrade?
Why am I having a problem when FTPing through my NetMAX FireWall?
When I try to setup multiple web sites, get "The IP for this host name is already used in an IP based Virtual Host".
How do I setup multiple web sites on my NetMAX WebServer Product?
Does NetMAX support hardware level RAID?
Why do my Windows users get "invalid password" errors when attempting to fileshare?
I have more than one NIC in my NetMAX machine, how do I enable routing between them?
Troubleshooting VPN client connections
When I connect via HTTPS with MSIE, I get various I/O errors. What is the reason?
How do I upgrade 3.x versions of discontinued products, to version 4.0x?

Applies to NetMAX FreeBSD Bld475
           NetMAX Linux   2.0.37

Active FTP

A normal (active) FTP session typically starts with an FTP client initiating the control connection from a high numbered port to TCP port 21 of the FTP server.

All commands and replies are sent over this control connection.

When a file is requested, the FTP server initiates a data connection from the adjacent port (its default data port, TCP port 20) to the FTP client on the data port.

By default, the data port of the FTP client is the same high numbered port that the control connection originated from.

This data connection is used for transfering files, which includes the ascii sending of directory listings.

So, before sending a request for a file transfer, the FTP client starts listening on this port for the data conenction.

                ------------                -------------
                |          |  FTP Commands  |           |
                |   FTP    | -------------> |    FTP    |
                |  CLIENT  |   FTP Replies  |  SERVER   |
                |          |                |           |
                |          |      Data      |           |
                |          | <------------- |           |
                |          |   Connection   |           |
                ------------                -------------

Upon file transfer completion the data connectin closes and a new one is created for every additional file transfer.

The FTP client can specify for the FTP server to connect to a data port other than the default port by issuing a PORT command. A lot of FTP clients now a days automatically issue a PORT command because they want to specify which port the data connection should go to.

Passive FTP

In passive mode FTP, the FTP client sends the PASV command, which tells the FTP server to listen for a data connection instead of initiating one. However, the PASV command also results in a request for the FTP server to specify a different default data port.

So if the PASV commands is used, it's possible for the data connection to be initiated from a different high numbered port on the ftp client to a different high numbered port on the FTP server.

                ------------                -------------
                |          |  FTP Commands  |           |
                |   FTP    | -------------> |    FTP    |
                |  CLIENT  |   FTP Replies  |  SERVER   |
                |          |                |           |
                |          |      Data      |           |
                |          | -------------> |           |
                |          |   Connection   |           |
                ------------                -------------

FTP Clients behind the firewall.

So, when using a packet filtering firewall (such as NetMAX FireWall), the following rules must be added to allow FTP clients behind the firewall to access FTP servers on the external network (Internet):

Action	Type	From Address	Mask	Port	To Address	Mask	Port	Direction	SYN	Notes
accept	tcp	Network IP		1025-65535	any		21	output		Allow control traffic/connection out
accept	tcp	Network IP		1025-65535	any		20	output		Allow data traffic out
deny	tcp	any		21	Network IP		1025-65535	input	Y	Block incoming connections with control source port
accept	tcp	any		21	Network IP		1025-65535	input		Allow control traffic in
deny	tcp	any			Network IP		6000-6009	input		Protect Xwindows ports
accept	tcp	any		20	Network IP		1025-65535	input		Allow data traffic in

If using passive mode (which is more secure), you would need the following rules:

Action	Type	From Address	Mask	Port	To Address	Mask	Port	Direction	SYN	Notes
accept	tcp	Network IP		1025-65535	any		21	output		Allow control traffic out
accept	tcp	Network IP		1025-65535	any		1025-65535	output		Allow data traffic/connection out
deny	tcp	any			Network IP		1025-65535	input	Y	Block incoming connections
accept	tcp	any		1025-65535	Network IP		1025-65535	input		Allow control/data traffic in

We assume here that you have more than one FTP client behind your firewall. If you only have one, you can specify an IP address instead of using "Network IP" (for additional security).

Of course, when you're doing IP NAT (Network Address Translation) on your NetMAX FireWall, it's a completely different story. If your FTP client is behind the NAT, you need to use passive mode FTP, because you can't realistically setup a port forwarding rule to allow the FTP server to make the data connection in through the NAT to an unknown high numbered port.

And even if you're doing passive mode FTP, you'll have to keep your FTP transfers short, because the control connection is going to time out (because ip masquerading connections timeout after 15 minutes by default if there is no activity on them) before the data connection is finished transfering the file, which will effectively kill your transfer.

So, if you keep your FTP transfers under 15 minutes and use passive mode, you should be able to use the following rules to allow FTP through your NAT and packet filtered firewall.

Action	Type	From Address	Mask	Port	To Address	Mask	Port	Direction	SYN	Notes
accept	tcp	Network IP		1025-65535	any		21	output		Allow control traffic out
accept	tcp	Network IP		1025-65535	any		1025-65535	output		Allow data traffic/connection out
deny	tcp	any			Network IP		1025-65535	input	Y	Block incoming connections
accept	tcp	any		1025-65535	Network IP		1025-65535	input		Allow control/data traffic in

FTP Server behind the firewall.

If you have your FTP server behind a packet filtering firewall (such as NetMAX FireWall), you will need the following rules to allow ftp transfers through the firewall:

Action	Type	From Address	Mask	Port	To Address	Mask	Port	Direction	SYN	Notes
accept	tcp	Network IP		21	any		1025-65535	output		Allow control traffic out
accept	tcp	Network IP		20	any		1025-65535	output		Allow data traffic out
accept	tcp	any		1025-65535	Network IP		21	input		Allow control traffic/connection in
deny	tcp	any			Network IP		20	input	Y	Block incoming connections to data port
accept	tcp	any		1025-65535	Network IP		20	input		Allow data traffic in

To allow for passive mode FTP, you would also need the following rules (which are not recommended, because they open up your firewall for access to high numbered ports):

Action	Type	From Address	Mask	Port	To Address	Mask	Port	Direction	SYN	Notes
accept	tcp	Network IP		1025-65535	any		1025-65535	output		Allow data traffic out
deny	tcp	any			Network IP		6000-6009	input		Protect Xwindows ports
accept	tcp	any		1025-65535	Network IP		1025-65535	input		Allow data traffic/connection in

We assume here that you have more than one FTP server behind your firewall. If you only have one, you can specify the IP address, instead of using "Network IP" (for additional security).

Of course, when you're doing IP NAT (Network Address Translation) on your NetMAX FireWall, it's a completely different story. If your FTP server is behind the NAT, you need to use normal (active) mode FTP, because you can't realistically setup a port forwarding rule to allow the FTP client to make the data connection in through the NAT to an unknown high numbered port. You also need to setup port forwarding (Traffic Rerouting on your NetMAX FireWall Suite) to forward TCP port 21 to your FTP server.

And even if you're doing normal mode FTP, you'll have to keep your FTP transfers short, because the control connection is going to time out (because ip masquerading connections timeout after 15 minutes by default if there is no activity on them) before the data connection is finished transfering the file, which will effectively kill your transfer.

Adjusting the TCP timeout for your NAT:

One way to help the situation when doing FTP through a NAT, is by optimizing the timeouts of your IP masquerading.

From the command line, you can type the following:

ipchains -M -S 7200 10 160

Where 7200 is the number of seconds (120 minutes) for the TCP timeout, 10 is the number of seconds for the TCP timeout (after receiving a FIN), and 160 is the number of seconds for the UDP timeout.

Also, you can enable hash marks in your FTP client, if it supports it.

ip_masq_ftp Kernel Module:

L2.2Pv3.x of the NetMAX FireWall comes with the ip_masq_ftp kernel module installed, which "fixes" the problems with having an FTP client behind an IP NAT. This module is a work around for the limitations of IP NAT and FTP.

• It checks incoming packets for replies to outgoing PASV commands. If it sees one, it sets up a new masquerade entry for the outgoing data connection rather than letting the normal ip_masq logic set up the entry when the first data packet is sent. It does this just so it can set a special pointer in the data connection entry pointing at the control connection entry. The ip_masq code uses this pointer to reset the timeout for the control connection when there is activity on the data connection. This prevents the control connection from being deleted during a long data transfer.
• It checks outgoing packets for PORT commands, which mean the masqueraded client is telling the external server to open a data connection. If it sees one, it sets up a new masquerade entry as if the connection were being opened from the masq side, and re-writes the PORT command packet to specify the masq box's IP address and the selected masq port number. That way the incoming data packet will look like a reply to a previous outgoing packet, and the ip_masq code will know what to do with it. And of course the new entry for the data connection is linked to the control connection so it will be kept alive.

Limitations of ip_masq_ftp:

• Your FTP client can't use the default data port, but must instead use the PORT command to specify a different data port when doing active mode FTP.
• Only works when connecting to FTP servers on the standard port 21.
• It is not orthogonal, so it only helps if the FTP client is behind the NAT, and not if the FTP server is behind the NAT.

Notes:

If you want to connect to an FTP site by its domain name instead of by its IP address, you may also need to open up DNS ports. This article is not intended to cover DNS.

The ip_masq_ftp kernel module comes with the L2.2Pv2.2 product as well, but is not installed by default. To install it, you need to edit the /etc/rc.d/rc.sysinit file, and add the following lines above the other modprobe commands:

# Insert ip_masq_ftp so that passive mode for a ftp client is not needed.
modprobe ip_masq_ftp

So your rc.sysinit file should now look like this:

<--SNIP-->
        fi
fi

# Insert ip_masq_ftp so that passive mode for a ftp client is not needed.
modprobe ip_masq_ftp

# Probe for a IBMPC parallel port
modprobe parport_pc 2>/dev/null
modprobe lp 2>/dev/null

<--SNIP-->

Sources:

ip_masq_ftp Release Notes, RFC 959
address-suppressed

1. IP Based Web Hosting
2. Name Based Web Hosting

You can not have a combination of the two on the same IP.

You probably already have a website setup for IP.

All you need to do is edit the "Web Site Host Method" for the site, and change it from IP to Name, and then you can create additional Name based web sites on the same IP.
address-suppressed

IP Based virtual hosting

Important Note: RH52Pv2.0 and L22Pv2.x only support IP based virtual hosting. This means that each web site (domain name) has to have it's own IP address.

To add multiple IP's and setup web sites for them, please do the following:

1. Add additional IP addresses to your network adapter from Home|Network|Interfaces click on the pencil next to your network adapter, add additional IP addresses, STORE, and COMMIT your changes.
2. Add the additional domain names from Home|Network|Domains. You need to at least enter the Domain Name and Primary IP Address for the domain. You can click on the "?" for help on filling this form out. After you add all of the domains, click on STORE, and COMMIT your changes.
3. Add host names for the additonal domain names from Home|Network|Naming. You'll probably want to add names like www.domainname.com for each IP address. After you add all of the host names, click on STORE, and COMMIT your changes.
4. From Home|Services|WWW you should be able to click on the WEB SITES tab and add a web site for each www.domainname.com that you set up in step 3. Make sure and specify a different "Path" for each one. You'll probably want to put all of the paths parallel to each other.

        |--- /log       |--- /PublicFTP           |--- /domainname1
   /var |--- /mnt ------|--- /System ---|--- /Web |--- /domainname2
        |--- /preserve  |--- /Web                 |--- /domainname3
   

   If you have L22Pv3.x, you'll want to select "IP" for "Web Site Host Method".

   When you're done adding your web sites, click on STORE, and COMMIT your changes.

5. You'll probably want to setup a username for the webmaster of each domain name and set their home directory to be the "Path" to the web site. That way each user can ftp/telnet in and edit the documents that they're responsible for.
6. If you are using the mail server on your NetMAX and have both domain names (and their MX record) pointing to the NetMAX then each user (Home|Users|Users) will actually be able to receive email at any of the domain names associated with the NetMAX machine.

   So the user john would receive email at john@domainname1.com and/or john@domainname2.com. It would be up to john on which domain of the two he wanted to have people send his email to. He could use both if he wanted.

   You will need to make sure that the check box for "Include all domains for this NetMAX" is checked under the ROUTE tab from Home|Services|Mail if you don't want to have to send your mail to john@www.domainname1.com. You can click on the "?" for help when in that area for more information.

   In RH52Pv2.0 and L22Pv2.x, you can only setup email aliases for the primary domain name. In L22Pv3.x, you can setup virtual email aliases for each seperate domain name.

Name Based Virtual Hosting

Important Note: L22Pv3.x supports both IP based, and name based virtual hosting. This means that each web site (domain name) does not need to have its own IP address, because multiple web sites can be hosted on each IP address.

To add multiple IP's and setup web sites for them, please do the following:

1. When setting up your first web site under Home|Services|WWW, you will want to select "Name" for the "Web Site Host Method", if you are going to do name based virtual hosting.
2. To add addtional web sites, you'll need to add the additional domain names from Home|Network|Domains. You need to at least enter the Domain Name and Primary IP Address for the domain. You can click on the "?" for help on filling this form out. After you add all of the domains, click on STORE, and COMMIT your changes.
3. Add host names for the additonal domain names from Home|Network|Naming. You'll probably want to add names like www.domainname.com for each IP address. After you add all of the host names, click on STORE, and COMMIT your changes.
4. From Home|Services|WWW you should be able to click on the WEB SITES tab and add a web site for each www.domainname.com that you set up in step 3. Make sure and specify a different "Path" for each one. You'll probably want to put all of the paths parallel to each other.

        |--- /log       |--- /PublicFTP           |--- /domainname1
   /var |--- /mnt ------|--- /System ---|--- /Web |--- /domainname2
        |--- /preserve  |--- /Web                 |--- /domainname3
   

   Ensure that you select "Name" for the "Web Site Host Method."

   When you're done adding your web sites, click on STORE, and COMMIT your changes.

5. You'll probably want to setup a username for the webmaster of each domain name and set their home directory to be the "Path" to the web site. That way each user can ftp/telnet in and edit the documents that they're responsible for.
6. If you are using the mail server on your NetMAX and have both domain names (and their MX record) pointing to the NetMAX then each user (Home|Users|Users) will actually be able to receive email at any of the domain names associated with the NetMAX machine.

   So the user john would receive email at john@domainname1.com and/or john@domainname2.com. It would be up to john on which domain of the two he wanted to have people send his email to. He could use both if he wanted.

   You will need to make sure that the check box for "Include all domains for this NetMAX" is checked under the ROUTE tab from Home|Services|Mail, if you don't want to have to send your mail to john@www.domainname1.com. In L22Pv3.1, this check box is called "Consider all mail local for this domain" and is located under the MAIL tab in Home|Network|Domains. You can click on the "?" for help when in that area for more information.

   Virtual email aliases can be created for each domain name available on the NetMAX.

NetMAX can be installed on a hardware level RAID if:

1. The hardware level RAID is transparent to the OS (operating system).
2. The RAID controller appears to the OS as one of the supported SCSI cards.
3. The RAID controller shows the system drives to the OS with the standard sdX naming scheme.

Most hardware level RAID systems come with a DOS bootable floppy that you use to manage the hardware level RAID, and then you install the OS on the "system" drives that you have created.

It is probably much easier to install NetMAX on a supported SCSI adapter, install the SCSI drivers (and management software if available) for your RAID adapter, and then mount and use the RAID as additional filespace/volumes.

For more information regarding hardware RAIDs please see this article.
address-suppressed

The user name and password must be the same on both the Windows machine and the NetMAX machine
to access the NetMAX from a Windows machine's Network Neighborhood.

NOTE: Another possible cause for this message is that the Windows machine may not be
encrypting passwords by default.

Experienced system administrators can try the following tasks to fix this situation.

Note, however, that modifications to the System Registry can cause Windows machines
to become inoperable if a mistake is made.

Anyone not familiar with editing the Windows Registry should not edit the Registry.

If you aren't scared off yet, do the following:

To verify this setting, access Start->Run on the Windows machine.
Enter regedit in the dialog box and press Enter.

For Win95 or Win98:

    Access HKEY_LOCAL_MACHINE->System->CurrentControlSet->Services->VxD->VNETSUP
    in the left pane.

   Create a "dword" in the right pane called "Enable PlainTextPassword".

   Assign a value of "0" to the "EnablePlainTextPassword" key.

Close regedit and reboot the Windows machine.

For Windows 2000

Access HKEY_LOCAL_MACHINE->SYSTEM->CurrentControlSet->Services->LanmanWorkStation->Parameters
in the left pane.

   Create a "dword" in the right pane called "Enable PlainTextPassword".

   Assign a value of "0" to the "EnablePlainTextPassword" key.

Close regedit and reboot the Windows machine.
address-suppressed

L2.2Pv2.1

There is a problem with NetMAX Fire Wall/Professional version L2.2Pv2.1 where routing between networks is disabled by default, not allowing NetMAX to act as a router.

To enable routing (if your route table allows it), type the following command at the command line:

echo 1 > /proc/sys/net/ipv4/ip_forward

You can also ensure that this is enabled whenver your NetMAX machine is rebooted by adding this command to your /etc/start_if.generic file. Make sure that you enter the command below the line containing the command "/usr/netmax/etc/rc.d/natd.sh restart". Routing will then be enabled whenever you reboot the NetMAX server. This problem only applies to NetMAX L22Pv2.1 and can also be resolved by installing the L22Pv2.2 upgrade which is available at http://www.netmax.com/support/downloads.html

L2.2Pv3.x

In the interest of security, NetMAX FireWall/Professional version L2.2Pv3.x only forwards traffic between "known" network interfaces (by default). This means that routing between all network interfaces will work fine; however, traffic with a source or destination address not on any of those known networks will not be forwarded (routed). This means that if you are using your NetMAX as a gateway to the Internet, more than likely you will be able to route traffic from your internal network to your ISP's network, but not past your ISP's network.

Although this is intended, it is was not documented in the manual.

The easy way to do this is to change your default forward policy to accept which will allow all traffic (traffic with a source or destination address on other networks) to use your router, you will want to issue the following commands from the command line, logged in as root:

echo /sbin/ipchains -P forward ACCEPT >> /etc/rc.firewall.local

chmod +x /etc/rc.firewall.local

/etc/rc.firewall.local

The more secure method would be to add custom firewall forward rules to each interface that will statically allow the routing between the two network cards for all traffic.

If you are doing NAT, no forward rules are created by default. So if you have more than one internal network interface, routing between the internal networks will not be allowed, by default. So you will have to manually create custom forward rules, or change the default forward policy, same as above.
address-suppressed

Answers in this category:
I'm having problems accessing the remote LAN through a VPN client connection. What's wrong?
When the client connects, Phase 1 completes, but Phase 2 is unsuccessful?
(missing or broken file)

As a work around, you can add the following directive in the /var/conf/apache/httpd.conf file, which will force the admin web server to not use HTTP/1.1, keep-alive connection, or sending the SSL close notify messages to MSIE clients:

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

This should all be on one line, and you may only need to comment out this line and add a couple of the parameters, as part of this line may already exist in your httpd.conf file. You should reboot your server for the changes to take effect.

WARNING: If you have made a typo when editing the config file, when you reboot, you may no longer be able to access the admin interface.

Additionally, in general, you should set your Internet Explorer to:

1. Disable SSL version 3.
2. Access the internet directly (not through a proxy server).
3. Disable cacheing (retrieve document from remote site each time as opposed to once per session).
4. Enable cookies.

Sources: ModSSL FAQ
address-suppressed

• NetMAX Internet Server Suite
• NetMAX File Server
• NetMAX Firewall Suite
• NetMAX Internet Server ProSuite
• NetMAX Web Server
• NetMAX Firewall

1. Purchase the necessary license in the NetMAX store.
2. For NetMAX Firewall and NetMAX Firewall Suite version 3.x, you will need to purchase NetMAX Firewall ProSuite version 4.0x.
3. For NetMAX File Server, NetMAX Internet Server ProSuite, and NetMAX Web Server 3.x, you will need to purchase NetMAX Professional Suite version 4.0x.
4. After you obtain the license number for the software you purchased, remove the current license number for your product. Do this in System -> License Management.
5. Next, add the new license number you purchased in License Management.
6. You should now be able to upgrade using the CD you purchased (or downloaded and burned). Simply follow the normal upgrade procedure in the manual from here on out.