Date: Fri, 24 Nov 2000 00:24:39 -0500 From: "Simon" <simon@optinet.com> To: "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org>, "Ryan Thompson" <ryan@sasknow.com> Subject: Re: proftpd passive weirdness through firewall Message-ID: <20001124052030.8DFAC37B479@hub.freebsd.org> In-Reply-To: <Pine.BSF.4.21.0011232255090.32998-100000@ren.sasknow.com>
next in thread | previous in thread | raw e-mail | index | archive | help
That's a problem with proftpd. You should upgrade to latest release. -Simon On Thu, 23 Nov 2000 23:19:04 -0600 (CST), Ryan Thompson wrote: > >Hi all... > >As many admins are aware, configuring an FTP server through a firewall can >be a major pain. It is a pain I thought I had mastered, though :-) My >firewall setup such that I have everything inbound blocked but basic >connectivity, and the protocols I wish to enable, including FTP. >Outgoing connections are allowed to any network on (almost) any port, as >this is not a user machine. > >Now, a few customers have been complaining that passive mode transfers >(and directory listings) do not work, which has enticed me to look into >the problem a bit further. We moved to proftpd from wuftpd a while back, >and the problem seemed to start around that time. > >It appears as though, when initiating a transfer, very low port numbers >are chosen: > >Script started on Thu Nov 23 22:55:46 2000 >Connected to ftp.sasknow.com. >220 ProFTPD 1.2.0pre10 Server (SaskNow Technologies FTP Server) [ftp.sasknow.com] >Name (ftp.sasknow.com:ryan): ryan >331 Password required for ryan. >Password: >230 User ryan logged in. >Remote system type is UNIX. >Using binary mode to transfer files. >ftp> ls >500 EPSV not understood. >227 Entering Passive Mode (207,195,92,131,15,135). >^C >receive aborted. Waiting for remote to finish abort. >ftp> passive >Passive mode: off; fallback to active mode: off. >ftp> ls >200 PORT command successful. >150 Opening ASCII mode data connection for file list. > >< normal ls output > > >226 Transfer complete. >ftp> quit >221 Goodbye. > >Script done on Thu Nov 23 22:56:15 2000 > > >The following is a few snippets of my firewall configuration (not the >whole thing, obviously): > > ># Basic connectivity rules ==================================================== > ># Allow established connections >$fwcmd add 600 pass tcp from any to any established > ># Allow outgoing connections originating from our subnet only >$fwcmd add 700 pass tcp from ${sasknow} to any setup > ># Explicitly block ICMP redirects ># $fwcmd add 1000 deny icmp from any to any icmptype 5 > ># Allow all other ICMP >$fwcmd add 1100 pass icmp from any to any > ># Open default traceroute port on udp only. ># The default port range starts at 33434 >$fwcmd add 1200 pass udp from any to any 33434-33500 > ># Individual protocol access ================================================== > ># Completely open up standard FTP >$fwcmd add 9900 pass tcp from any 20 to any >$fwcmd add 9901 pass udp from any 20 to any >$fwcmd add 9950 pass tcp from any to ${ftp} 21 setup > > ># More inbound protocols allowed.... > > ># Everything else is denied by default! > >So, anything with a source port of 20 is let through, and control >connections can be established on port 21. Standard FTP, therefore, works >fine. Many clients nowadays have passive mode on by default, though (or >are behind firewalls themselves), and it's passive mode that causes grief! >Since all outbound connections are explicitly allowed by rule 0700, why >isn't passive mode functional? From my testing, this problem spans more >than a dozen different clients on several different networks (many of >which are not restricted by a firewall themselves). Disabling the >firewall rules, here, of course allows passive mode to work perfectly from >anywhere. > >I've tried playing with the "passive ports" directive in >/usr/local/etc/ftpaccess, and explicitly opening up those ports for >inbound access, but to no avail. It seems a little strange to have to do >this, anyway. > >Thanks for any suggestions! > >- Ryan > >-- > Ryan Thompson <ryan@sasknow.com> > Network Administrator, Accounts > Phone: +1 (306) 664-1161 > > SaskNow Technologies http://www.sasknow.com > #106-380 3120 8th St E Saskatoon, SK S7H 0W2 > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001124052030.8DFAC37B479>