Date: Thu, 23 Nov 2000 23:19:04 -0600 (CST) From: Ryan Thompson <ryan@sasknow.com> To: freebsd-isp@freebsd.org Subject: proftpd passive weirdness through firewall Message-ID: <Pine.BSF.4.21.0011232255090.32998-100000@ren.sasknow.com>
next in thread | raw e-mail | index | archive | help
Hi all...
As many admins are aware, configuring an FTP server through a firewall can
be a major pain. It is a pain I thought I had mastered, though :-) My
firewall setup such that I have everything inbound blocked but basic
connectivity, and the protocols I wish to enable, including FTP.
Outgoing connections are allowed to any network on (almost) any port, as
this is not a user machine.
Now, a few customers have been complaining that passive mode transfers
(and directory listings) do not work, which has enticed me to look into
the problem a bit further. We moved to proftpd from wuftpd a while back,
and the problem seemed to start around that time.
It appears as though, when initiating a transfer, very low port numbers
are chosen:
Script started on Thu Nov 23 22:55:46 2000
Connected to ftp.sasknow.com.
220 ProFTPD 1.2.0pre10 Server (SaskNow Technologies FTP Server) [ftp.sasknow.com]
Name (ftp.sasknow.com:ryan): ryan
331 Password required for ryan.
Password:
230 User ryan logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 EPSV not understood.
227 Entering Passive Mode (207,195,92,131,15,135).
^C
receive aborted. Waiting for remote to finish abort.
ftp> passive
Passive mode: off; fallback to active mode: off.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
< normal ls output >
226 Transfer complete.
ftp> quit
221 Goodbye.
Script done on Thu Nov 23 22:56:15 2000
The following is a few snippets of my firewall configuration (not the
whole thing, obviously):
# Basic connectivity rules ====================================================
# Allow established connections
$fwcmd add 600 pass tcp from any to any established
# Allow outgoing connections originating from our subnet only
$fwcmd add 700 pass tcp from ${sasknow} to any setup
# Explicitly block ICMP redirects
# $fwcmd add 1000 deny icmp from any to any icmptype 5
# Allow all other ICMP
$fwcmd add 1100 pass icmp from any to any
# Open default traceroute port on udp only.
# The default port range starts at 33434
$fwcmd add 1200 pass udp from any to any 33434-33500
# Individual protocol access ==================================================
# Completely open up standard FTP
$fwcmd add 9900 pass tcp from any 20 to any
$fwcmd add 9901 pass udp from any 20 to any
$fwcmd add 9950 pass tcp from any to ${ftp} 21 setup
# More inbound protocols allowed....
# Everything else is denied by default!
So, anything with a source port of 20 is let through, and control
connections can be established on port 21. Standard FTP, therefore, works
fine. Many clients nowadays have passive mode on by default, though (or
are behind firewalls themselves), and it's passive mode that causes grief!
Since all outbound connections are explicitly allowed by rule 0700, why
isn't passive mode functional? From my testing, this problem spans more
than a dozen different clients on several different networks (many of
which are not restricted by a firewall themselves). Disabling the
firewall rules, here, of course allows passive mode to work perfectly from
anywhere.
I've tried playing with the "passive ports" directive in
/usr/local/etc/ftpaccess, and explicitly opening up those ports for
inbound access, but to no avail. It seems a little strange to have to do
this, anyway.
Thanks for any suggestions!
- Ryan
--
Ryan Thompson <ryan@sasknow.com>
Network Administrator, Accounts
Phone: +1 (306) 664-1161
SaskNow Technologies http://www.sasknow.com
#106-380 3120 8th St E Saskatoon, SK S7H 0W2
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0011232255090.32998-100000>