LinuxSA Mailing list archives

  From: Michael Pearson <alcaron@senet.com.au>
  To  : <linuxsa@linuxsa.org.au>
  Date: Tue, 7 May 2002 23:12:55 +0930

Re: Firewall and FTP'ing

* David Fitch (davidf@parachilna.com) wrote:
> On Tue, 2002-05-07 at 18:17, Wayne Simes wrote:
> > I have opened up ports 20 and 21 to allow for ftp'ing through to the 
> > server, but I have noticed in the logs that the client is trying to 
> > make connections to ports up in the 3000 and 6000 range. I don't
> > really want to open up a whole range of port just to allow the
> > odd person to connect.
> > 
> > What should I be doing to try and get around this problem ?
> 
> yes it sucks, I've never found a satisfactory solution.
> The best workaround for me is use passive ftp (ie. 'pas'
> command in ftp).
Wrong way around.

Normal ftp works by the server making a connection to a port on the client's
machine to transfer data. In today's world of paranoid firewalls and IP
masquerading, this doesn't work.

Passive ftp works by the client making a connection to a port on the server
machine to transfer data.

The easiest way to have this work with a server firewall is to use an ftp
daemon which has configurable passive port ranges, such as ProFTPd. This port
range can then be opened up on the firewall.

Or, you can use connection tracking with iptables, and configure the table so
that it will allow related FTP connections through.

It's not the "odd person" using passive FTP these days, either. Blocking
all of your server's ports except for 21 will deny a large percentage of
users access.

--
Michael Pearson

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject