Date: Wed, 19 Sep 2001 16:25:45 +0700 From: "Mick Nicila" <n_mickey@hotmail.com> To: chutima_s@zdnetonebox.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: How to config ipfw for ftp server Message-ID: <F15Lw0he2AeWXTLlaPf0001ad2d@hotmail.com>
next in thread | raw e-mail | index | archive | help
Dear Chutima,
FTP uses separate command and data connections. By default
FTP servers work in Active mode, where the server listens on port 21
for command; data connections are initiated by the server from its
port 20 (ftp-data), to a random port on the client. This is the case
your firewall will not allow. In this case, you may allow connections
initiated from server port 20 to port > 1024 outside. I don't know
exactly how to set the ipfw rules.
On the other hand, Passive mode causes the client to open both
connections to the server. Data connection is opened from a random
port on the clients to a random port on the server. This case is also
prohibited by your firewall. It is rather complicated to deal since
both client and server port numbers are randomized. You may need
special ftp proxy, I think.
Note that Internet Explorer and Netscape are usually set to work
in Passive mode, whilst FTP software is often set to work in Active
mode. This setting can be changed in most FTP software.
On Tue, 18 Sep 2001, Chutima S. wrote:
>I try to config ipfw to allow outside world can connect to ftpserver(real
>IP) behide my firewall.
>
>I config rules as:
>
>ipfw add pass tcp from any to <ftpserverIP> 21 setup
>
>After I test it, I found that I can login to ftpserver but can not get
>data connection like GET, List for files. Does it about ftp-data port
>or passive mode? How I config it to work with normal ftpserver?
>
>Thanks
>Chutima S.
>
>--
>Chutima Subsirin
>chutima_s@zdnetonebox.com - email
>(202) 777-2641 ext. 6020 - voicemail/fax
>
>
>
>___________________________________________________________________
>To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax,
>all in one place - sign up today at http://www.zdnetonebox.com
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F15Lw0he2AeWXTLlaPf0001ad2d>