Date: Wed, 22 Oct 2008 12:13:30 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Len Conrad <LConrad@Go2France.com> Cc: freebsd-questions@freebsd.org Subject: Re: what else is needed to make ftp passive work Message-ID: <20081022191330.GA66142@icarus.home.lan> In-Reply-To: <200810222050687.SM01744@TX2.Go2France.com> References: <200810222050687.SM01744@TX2.Go2France.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 22, 2008 at 01:58:31PM -0500, Len Conrad wrote: > two machines on the same private network. > > ftp 10.0.0.24 > Connected to 10.0.0.24. > 220 mx1.fairhope.net FTP server (Version 6.00LS) ready. > Name (10.0.0.24:username): > 331 Password required for username. > Password: > 230 User username logged in. > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> ls > 229 Entering Extended Passive Mode (|||64341|) > > at this point, there is a long delay, that eventually completes: > > 200 EPRT command successful. > 150 Opening ASCII mode data connection for '/bin/ls' > > ... and the rest of the ftp session runs fast. > > on the ftp server, if we "ipfw disable firewall", the ftp session runs without delay. > > in hosts file, both machines have both of their records, so we don't think the delay is query for PTR of either IP. > > our ipfw.rules: > > # stateful > $IPF 50 check-state > $IPF 60 allow tcp from any to any established > $IPF 70 allow all from any to any out keep-state > $IPF 80 allow icmp from any to any > > # open well-known ports > > # FTP > $IPF 120 allow tcp from any to any 20 in > $IPF 121 allow tcp from any to any 20 out > $IPF 122 allow tcp from any to any 21 in > $IPF 123 allow tcp from any to any 21 out > > In inetd.conf, we've added "-l -l -d" but don't get any ftpd debug info written to /var/log/messages or /var/log/xferlog or dmesg system buffer. > > So what else is needed inf our ifpw.rules for the ftpd params to get the switch to Extended Passive Mode to run quickly? You're not understanding the FTP protocol properly, specifically the difference between Passive and Active mode. This is why you're having issues. You need to punch firewall holes to your FTP server on the following ports: Inbound: TCP port 21 (main ftpd daemon) Inbound: TCP ports 49152 to 65535 (used in FTP passive mode) Outbound: TCP port 20 (used in FTP active mode) Yes, you read that range correctly. And yes, it's quite large. Yes, there is a way to diminish it, but it will affect other programs on FreeBSD, so I do not recommend adjusting it. It's controlled by sysctls. See the -U option of ftpd, but note that it doesn't do anything for FreeBSD 5.0 or later. I highly recommend you stick the FTP server on its own IP address (e.g. bind the FTP server to its own IP using IP aliases), and then apply those rules to a specific IP address, e.g.: ipfw add 120 allow tcp from any to ftp.server.ip 21 in ipfw add 121 allow tcp from any to ftp.server.ip 49152-65536 in ipfw add 122 allow tcp from ftp.server.ip 20 to any out Finally, I recommend if this machine is RELENG_6 or later, that you look in to using pf(4) instead. You'll thank me later. :-) -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081022191330.GA66142>