Date: Wed, 7 Mar 2001 21:31:51 -0600 From: Mike Meyer <mwm@mired.org> To: "Charles Burns" <burnscharlesn@hotmail.com> Cc: questions@freebsd.org Subject: Re: Allowing FTP through firewall Message-ID: <15014.64807.978927.383799@guru.mired.org> In-Reply-To: <F145vijhtq9Bni9leSb00002a0a@hotmail.com> References: <F145vijhtq9Bni9leSb00002a0a@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Charles Burns <burnscharlesn@hotmail.com> types: Please leave the discussion on -questions, so others can catch my mistakes, and so the answers wind up in the archives. > I appreciate your reply. The duplicate line was actually a typo when I was > transfering from my list to the browser (it specifies udp instead of tcp) > It seems like the data connection is being made at a port other than what > the ftpd man page says, because when I open all ports from 1024-65535, FTP > works fine. This is all fairly irritating... I wonder if sftp is simpler to > firewall. > You asked "Which way - in or out?." I am trying to allow incoming > connections to the server. I am actually doing the testing from inside the > network, otherwise I would specify interfaces and netmasks and such (just > testing now) > Would you happen to have an idea as to why passive FTP connections are made > with different ports than ftpd says it uses? Seems like you've zero'd in on the problem - the ftpd docs are simply wrong. In particular, you only get the restricted IP address range if you compile ftpd with -DIP_PORTRANGE, which apparently isn't done by default. The range used by the kernel for sockets are actually specified by the sysctls net.inet.ip.portrange.first and net.inet.ip.portrange.last. if you want to chagne it. > Additionally, how might I find which port the connection is being made on so > that I can find its real range? Log the accept message, so you'll see what it is. However, reading netinet/in.h and checking the sysctls worked for me. <mike > Many thanks > > Charles Burns > > >Charles Burns <burnscharlesn@hotmail.com> types: > > > What do I need to do to allow passive FTP through a closed firewall? > > > According to the ftpd man page, ports 49152-65535 may be used for > >passive > > > FTP. The lines that are applicable in my firewall script are: > > > >Which way - in or out? The rules you've got should allow *incoming* > >passive FTP connections, but not outgoing. However, other rules in > >your firewall script may be causing problems. > > > > > fw=/sbin/ipfw > > > > > > $fw add 2 divert natd all from any to any via xl0 > > > $fw add 11 pass tcp from any to any 49152-65535 > > > $fw add 12 pass udp from any to any 49152-65535 > > > $fw add 100 check-state > > > $fw add 300 pass tcp from any to any 20,21 keep-state > > > $fw add 400 pass tcp from any to any 20,21 keep-state > > > $fw add 900 pass icmp from any to any icmptypes 0,3,4,8,11,12 > > > >Rules 300 and 400 are identical, so one of them is redundant. 11 and > >12 are almost identical, but I don't know of any ftp client that > >actually uses udp, so 12 probably doesn't do much. I'm not completely > >familiar with dynamic rules (and I'm not sure under what conditions > >you'd want them), but aren't there problems with mixing dynamic and > >static like that? > > > > > Are there any other common protocols that are this difficult to setup? > > > >No. FTP is a major PITA to set up for firewalls - mostly because it > >has a *lot* more flexibility than most people ever use. You can, for > >example, arrange to transfer data from host a to host b while sitting > >at host c. Making that possible is why the data and control > >connections are separate. > > > >Given how much GUI ftp clients resemble bilge pumps, I don't bother > >with ftp servers any more unless it's absolutely required. > > > > <mike > >-- > >Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ > >Independent WWW/Perforce/FreeBSD/Unix consultant, email for more > >information. > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com > > -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15014.64807.978927.383799>