From owner-freebsd-isp Thu Nov 23 21:24:14 2000 Delivered-To: freebsd-isp@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id 586B937B4D7 for ; Thu, 23 Nov 2000 21:24:07 -0800 (PST) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.9.3/8.9.3) with ESMTP id XAA35384; Thu, 23 Nov 2000 23:28:06 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Thu, 23 Nov 2000 23:28:06 -0600 (CST) From: Ryan Thompson To: Simon Cc: "freebsd-isp@freebsd.org" Subject: Re: proftpd passive weirdness through firewall In-Reply-To: <20001124052030.8DFAC37B479@hub.freebsd.org> Message-ID: Organization: SaskNow Technologies [www.sasknow.com] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Simon wrote to freebsd-isp@freebsd.org and Ryan Thompson: > That's a problem with proftpd. You should upgrade to latest release. > > -Simon Ahhh... I'm glad I didn't spend too much time trying to figure it out, then. :-) Thanks, - Ryan Original Message: > On Thu, 23 Nov 2000 23:19:04 -0600 (CST), Ryan Thompson wrote: > > > > >Hi all... > > > >As many admins are aware, configuring an FTP server through a firewall can > >be a major pain. It is a pain I thought I had mastered, though :-) My > >firewall setup such that I have everything inbound blocked but basic > >connectivity, and the protocols I wish to enable, including FTP. > >Outgoing connections are allowed to any network on (almost) any port, as > >this is not a user machine. > > > >Now, a few customers have been complaining that passive mode transfers > >(and directory listings) do not work, which has enticed me to look into > >the problem a bit further. We moved to proftpd from wuftpd a while back, > >and the problem seemed to start around that time. > > > >It appears as though, when initiating a transfer, very low port numbers > >are chosen: > > > >Script started on Thu Nov 23 22:55:46 2000 > >Connected to ftp.sasknow.com. > >220 ProFTPD 1.2.0pre10 Server (SaskNow Technologies FTP Server) [ftp.sasknow.com] > >Name (ftp.sasknow.com:ryan): ryan > >331 Password required for ryan. > >Password: > >230 User ryan logged in. > >Remote system type is UNIX. > >Using binary mode to transfer files. > >ftp> ls > >500 EPSV not understood. > >227 Entering Passive Mode (207,195,92,131,15,135). > >^C > >receive aborted. Waiting for remote to finish abort. > >ftp> passive > >Passive mode: off; fallback to active mode: off. > >ftp> ls > >200 PORT command successful. > >150 Opening ASCII mode data connection for file list. > > > >< normal ls output > > > > >226 Transfer complete. > >ftp> quit > >221 Goodbye. > > > >Script done on Thu Nov 23 22:56:15 2000 > > > > > >The following is a few snippets of my firewall configuration (not the > >whole thing, obviously): > > > > > ># Basic connectivity rules ==================================================== > > > ># Allow established connections > >$fwcmd add 600 pass tcp from any to any established > > > ># Allow outgoing connections originating from our subnet only > >$fwcmd add 700 pass tcp from ${sasknow} to any setup > > > ># Explicitly block ICMP redirects > ># $fwcmd add 1000 deny icmp from any to any icmptype 5 > > > ># Allow all other ICMP > >$fwcmd add 1100 pass icmp from any to any > > > ># Open default traceroute port on udp only. > ># The default port range starts at 33434 > >$fwcmd add 1200 pass udp from any to any 33434-33500 > > > ># Individual protocol access ================================================== > > > ># Completely open up standard FTP > >$fwcmd add 9900 pass tcp from any 20 to any > >$fwcmd add 9901 pass udp from any 20 to any > >$fwcmd add 9950 pass tcp from any to ${ftp} 21 setup > > > > > ># More inbound protocols allowed.... > > > > > ># Everything else is denied by default! > > > >So, anything with a source port of 20 is let through, and control > >connections can be established on port 21. Standard FTP, therefore, works > >fine. Many clients nowadays have passive mode on by default, though (or > >are behind firewalls themselves), and it's passive mode that causes grief! > >Since all outbound connections are explicitly allowed by rule 0700, why > >isn't passive mode functional? From my testing, this problem spans more > >than a dozen different clients on several different networks (many of > >which are not restricted by a firewall themselves). Disabling the > >firewall rules, here, of course allows passive mode to work perfectly from > >anywhere. > > > >I've tried playing with the "passive ports" directive in > >/usr/local/etc/ftpaccess, and explicitly opening up those ports for > >inbound access, but to no avail. It seems a little strange to have to do > >this, anyway. > > > >Thanks for any suggestions! > > > >- Ryan -- Ryan Thompson Network Administrator, Accounts Phone: +1 (306) 664-1161 SaskNow Technologies http://www.sasknow.com #106-380 3120 8th St E Saskatoon, SK S7H 0W2 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message