Date: Sat, 12 May 2001 16:44:27 -0500 From: Mike Meyer <mwm@mired.org> To: "Artem Koutchine" <matrix@ipform.ru> Cc: questions@freebsd.org Subject: Re: Allow rules for ipfw for active ftp Message-ID: <15101.44731.888159.404099@guru.mired.org> In-Reply-To: <40407393@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Artem Koutchine <matrix@ipform.ru> types: > I've read the man page and don't understand one thing: Is this a > protocol > spec or just ftpd feature? I it is just ftpd behavior that opening the > port will > not help to connect in active mode to Windoze boxes or other ftp > daemons. It's software-specific. Whether it's the client or the server you're worried about depends on which direction you're going. Ftp uses two(*) connections. The first one is for commands, and is always from the client to the server. The second is for data, and is from the server to the client in active mode, and from the client to the server in passive mode. Clients can connect to servers through a firewall that allows arbitrary outbound connections in passive mode, which is why it became popular in the first place. For active mode to work, the firewall has to pass both the original client->server connection, which is to port 21, as well as the server->client connection, which depends on the server. The default for data is port 20, but I don't know of any server that actually uses that. If the server is behind your firwall, then you have to allow incoming on port 21, and outgoing on the range used by clients for active, or the incoming on the range used by your server for passive. If your *client* is behind the firewall, you have to allow outgoing on 21, and outgoing on your clients ranges for passive, and incoming on servers ranges for active. It's not at all uncommon for commercial firewalls to silently proxy the ftp control channel to monitor it for port requests to add dyanmica rules. After all, all they have to do is recognize the two commands - PORT and PASV - then blindly pass everything through. Of course, a "please let me access a port" facility in your firewall isn't generally considered a good thing, but.... <mike *) Actually, it's three - one data between the source and destination, and a control to each of source and destination. But typical usage has the source or destination and the client being the same, so that control connection isn't opened. > > I you need to open up ports 49152 - 65535. You can read the ftpd > man > > page for more info. > > > > Artem Koutchine wrote: > > > > > > Hi! > > > > > > Is it possive to allow active (as opposite to passive) > > > ftp connection using ipfw rules? I put my local network > > > behind a restrictive firewall (everything is denied by > > > default) and now i must form allow rules to allow > > > ftp connections. For passive connection everything is > > > ok (client connect to server on 21, servers tell where > > > to connect for data, client connect to server on that > > > port) but for active connections server must connect > > > to client on the port that client told the server. I think > > > I understood ftp protocol right. I cannot imaging > > > ipfw tules to allow the second (active) case. MAybe > > > someone has done it? > > > > > > Artem > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-questions" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15101.44731.888159.404099>