Date: Sun, 30 Sep 2001 02:05:45 -0600 (CST) From: Ryan Thompson <ryan@sasknow.com> To: Jim Freeze <jfreeze@freebsdportal.com> Cc: Nathan Mace <nmace85@yahoo.com>, questions@FreeBSD.ORG Subject: Re: How to get FTP working for 4.4R Message-ID: <Pine.BSF.4.21.0109300155370.6237-100000@ren.sasknow.com> In-Reply-To: <20010930012122.A1187@rabbit.lxintn1.ky.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Jim Freeze wrote to Nathan Mace and questions@FreeBSD.ORG:
> Thanks for the help.
> It turned out to be a firewall rule afterall.
Aha... And you said it was open :-)
> I now have in my ruleset the following:
>
> ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
> ${fwcmd} add pass log tcp from any to any 21 in via ${oif} setup
>
> These two lines come before the divert rule:
>
> ${fwcmd} add divert natd all from any to any via ${natd_interface}
>
>
> FTP now works, but, I cannot get a directory listing.
> from the ftp> prompt, the dir command hangs indefinetely.
>
> pftp and ftp -p do the same thing.
>
> Does anyone know the how to get dir to work, either with
> or without passive ftp.
THe trouble is that you're trying to use passive mode (PASV) connections.
In this case, the client initiates another inbound connection to a random
port above 1023. There are a few ways you can deal with this, which have
their own pros and cons:
Do not allow PASV connections. Tell all your users to disable passive mode
in their clients. or...
Open all inbound ports above 1023. (Not the best security policy!) You can
still block some ports in this range, but then clients will experience
very frustrating random timeouts when they happen to hit one of those
ports. or...
Set up an FTP proxy. or...
Use ProFTPd and use the PassivePorts directive to specify an allowed range
of ports that it will send to the client in response to a PASV request.
(49152 - 65534 is the IANA-registered ephemeral port range). Then, just
open those ports up in your firewall. Much better than > 1023!
Hope this helps,
- Ryan
> Thanks
>
> Jim
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
--
Ryan Thompson <ryan@sasknow.com>
Network Administrator, Accounts
SaskNow Technologies - http://www.sasknow.com
#106-380 3120 8th St E - Saskatoon, SK - S7H 0W2
Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon
Toll-Free: 877-727-5669 (877-SASKNOW) North America
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0109300155370.6237-100000>