Date: Fri, 24 Nov 2000 15:24:08 +0300 From: "Alexei V. Alexandrov" <ava@elcomsoft.com> To: Ryan Thompson <ryan@sasknow.com> Cc: freebsd-isp@freebsd.org Subject: Re: proftpd passive weirdness through firewall Message-ID: <6641.001124@elcomsoft.com> In-Reply-To: <Pine.BSF.4.21.0011232255090.32998-100000@ren.sasknow.com> References: <Pine.BSF.4.21.0011232255090.32998-100000@ren.sasknow.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Ryan,
Friday, November 24, 2000, 8:19:04 AM, you wrote:
RT> Hi all...
RT> As many admins are aware, configuring an FTP server through a firewall can
RT> be a major pain. It is a pain I thought I had mastered, though :-) My
RT> firewall setup such that I have everything inbound blocked but basic
RT> connectivity, and the protocols I wish to enable, including FTP.
RT> Outgoing connections are allowed to any network on (almost) any port, as
RT> this is not a user machine.
RT> Now, a few customers have been complaining that passive mode transfers
RT> (and directory listings) do not work, which has enticed me to look into
RT> the problem a bit further. We moved to proftpd from wuftpd a while back,
RT> and the problem seemed to start around that time.
RT> It appears as though, when initiating a transfer, very low port numbers
RT> are chosen:
RT> Script started on Thu Nov 23 22:55:46 2000
RT> Connected to ftp.sasknow.com.
RT> 220 ProFTPD 1.2.0pre10 Server (SaskNow Technologies FTP Server) [ftp.sasknow.com]
RT> Name (ftp.sasknow.com:ryan): ryan
RT> 331 Password required for ryan.
RT> Password:
RT> 230 User ryan logged in.
RT> Remote system type is UNIX.
RT> Using binary mode to transfer files.
ftp>> ls
RT> 500 EPSV not understood.
RT> 227 Entering Passive Mode (207,195,92,131,15,135).
RT> ^C
RT> receive aborted. Waiting for remote to finish abort.
ftp>> passive
RT> Passive mode: off; fallback to active mode: off.
ftp>> ls
RT> 200 PORT command successful.
RT> 150 Opening ASCII mode data connection for file list.
RT> < normal ls output >
RT> 226 Transfer complete.
ftp>> quit
RT> 221 Goodbye.
RT> Script done on Thu Nov 23 22:56:15 2000
RT> The following is a few snippets of my firewall configuration (not the
RT> whole thing, obviously):
RT> # Basic connectivity rules ====================================================
RT> # Allow established connections
RT> $fwcmd add 600 pass tcp from any to any established
RT> # Allow outgoing connections originating from our subnet only
RT> $fwcmd add 700 pass tcp from ${sasknow} to any setup
RT> # Explicitly block ICMP redirects
RT> # $fwcmd add 1000 deny icmp from any to any icmptype 5
RT> # Allow all other ICMP
RT> $fwcmd add 1100 pass icmp from any to any
RT> # Open default traceroute port on udp only.
RT> # The default port range starts at 33434
RT> $fwcmd add 1200 pass udp from any to any 33434-33500
RT> # Individual protocol access ==================================================
RT> # Completely open up standard FTP
RT> $fwcmd add 9900 pass tcp from any 20 to any
RT> $fwcmd add 9901 pass udp from any 20 to any
RT> $fwcmd add 9950 pass tcp from any to ${ftp} 21 setup
RT> # More inbound protocols allowed....
RT> # Everything else is denied by default!
RT> So, anything with a source port of 20 is let through, and control
RT> connections can be established on port 21. Standard FTP, therefore, works
RT> fine. Many clients nowadays have passive mode on by default, though (or
RT> are behind firewalls themselves), and it's passive mode that causes grief!
RT> Since all outbound connections are explicitly allowed by rule 0700, why
RT> isn't passive mode functional? From my testing, this problem spans more
RT> than a dozen different clients on several different networks (many of
RT> which are not restricted by a firewall themselves). Disabling the
RT> firewall rules, here, of course allows passive mode to work perfectly from
RT> anywhere.
RT> I've tried playing with the "passive ports" directive in
RT> /usr/local/etc/ftpaccess, and explicitly opening up those ports for
RT> inbound access, but to no avail. It seems a little strange to have to do
RT> this, anyway.
Yes. ProFTP daemon has a bug in selecting ports when in passive mode.
By default it default to ANY port. This can be controlled applying a
patch to it (check the www.proftpd.net and follow the link which
points to mod_wrap. Still the patch is only for CVS version.). In my
case i did the following. First on the server you run Proftpd set the
following options:
sysctl -w net.inet.ip.portrange.first=49152
sysctl -w net.inet.ip.portrange.last=65534
This will instruct the kernel to give ports in rage 49152-65534 when
a call to bind to port recieves ANY. So this way we know that our FTP
server will use ports in this range so you can write a firewalling
rule allowing all outbound packets from this port which have
connection flag set. Thats all... In my case this works fine. If you
have problems cantact me.
P.S.: This is a rule fo IPFilter:
pass out quick on <iface> proto tcp from any to a.b.c.d/32 port 49152 >< 65534 flags S keep state
Best regards,
Alexei V. Alexandrov | @ ElcomSoft Ltd. | Phone: +7 095 974-11-62
System Administrator | www.elcomsoft.com | Mail: ava@elcomsoft.com
---------------------+-------------------+-------------------------
*** It`s always a long day, 86400 doesn`t fit into a short. ***
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6641.001124>