Date: Tue, 13 Mar 2001 03:07:24 -0800 From: Kent Stewart <kstewart@urx.com> To: Mike Meyer <mwm@mired.org> Cc: questions@freebsd.org Subject: Re: ipfw rules for incoming passive mode ftp connections Message-ID: <3AADFF6C.8849BF47@urx.com> References: <15021.59314.727992.628569@guru.mired.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Meyer wrote: > > Kent Stewart <kstewart@urx.com> types: > > If you have a pasiv ftpd setup, how do you control what port something > > like a windows ftp client can use with ipfw. The range I am seeing is > > way beyond what is suggested and you know that people are going to > > blame the FreeBSD ftp server when they get the terrible response that > > produces. > > You don't need to control what port the client uses for passive FTP, > you need to control what port the server uses. Is there a way to do that. what I am seeing is ports from the low 30K to mid 50's. The problem of couse is that when you prevent a range that it tries to use. It seems like it takes for ever to respond. Eventually it worked but some of those files that I used for a test I could have typed in faster. They weren't very big of course :). > > With active FTP, the client sends a request to the server asking for > data, and telling the server what port to send it to. The server > opens a second connection back to the client and sends the data. This > causes headaches for most firewalls around the client. > > With passive FTP, the client sends a request to the server asking for > data, and the SERVER tells the client what port to get it from. The > client opens the second connection to the server and gets the > data. This goes through firewalls around the client just fine, which > is why it became popular in the early 90s. I have the O'Reilly Firewall book. That has a bunch of numbers and diagrams that at first didn't make sense because I couldn't relate the diagrams to the rules. Then I came across Zeigler's Linux Firewalls where he generated input for ipchains. The equivalent ipfw was almost trivial. At any rate, a combination of both turned on the recognition light. You could see the data being logged on both ends and see the coarse handshaking that goes on. > > As you're discovering, the headaches that active FTP had around the > client now exist around the server. But there are fewer servers, and > they are presumably run by smarter people, so it can be dealt with. > > Commercial firewalls deal with this by monitoring connections that > came to port the ftp port on either side of them, parsing the commands > for port numbers and adding the appropriate dynamic rules. > > You ought to be able to make ftpd do passive IP from ports 49152 - > 65535. In fact, it ought to do that by default. Since it's not, it's > probably doing 1024 - 49151. So long as you have any real services > running in that range (X comes immediately to mind, and possibly some > of the rpc related things), you should be ok. Well, rpc is turned off on his system. I'm seeing a lot of port 111 stuff being denied. It goes in cycles and you can almost guess when school is out. I went to look at the log on the server and I was wrong. The low ports are what are showing up in the ws-ftp log on W2K. My passive FTP requests are using ports in the 49xxx region on the FreeBSD server. I changed the rule to 49152-65535 and after a number of requests, all I saw was a stair step from 49174-49179. There also wasn't the usual terrible delay. One thing about this process it isn't half way. It either works or it doesn't. It is also an active system but I'm up when there isn't any usage and I can break it. The early problems were associated with getting ssh to work and the firewall. One mistake and you were locked out until they could clean it. Then, I thought about using "at" and scheduling the clean. Then, I would try the new firewall rules. If I screwed up, all I had to do is wait 10-15 minutes and it was cleaned. I could then look at the log and try to fix what I broke. If I didn't break it, I would atrm the clean and continue on. I had a lot of progress in a short time at that point. Some one on the line between here and California also tends to try things around 2am and I don't know if I broke something or they did. It just happened. It is like they have an NT machine and they reboot it a few times around 2-3am. I wait 5-10 minutes and I can get back in but may get kicked off again until ~3am. It could be a ripple between here and there. It isn't a total loss because there is a volcano just out side of Mexico City called Popocatépetl with a cam pointed at it and when the link is down I can go see what is happening there. I've watched the sun rise on it a few times. When both are down, it is just a wee bit irritating. Thanks for the info. I learned a few thing I needed to know. Kent -- Kent Stewart Richland, WA mailto:kbstew99@hotmail.com http://kstewart.urx.com/kstewart/index.html FreeBSD News http://daily.daemonnews.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AADFF6C.8849BF47>