Date: Fri, 24 Nov 2000 00:24:39 -0500 From: "Simon" <simon@optinet.com> To: "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org>, "Ryan Thompson" <ryan@sasknow.com> Subject: Re: proftpd passive weirdness through firewall Message-ID: <20001124052030.8DFAC37B479@hub.freebsd.org> In-Reply-To: <Pine.BSF.4.21.0011232255090.32998-100000@ren.sasknow.com>
next in thread | previous in thread | raw e-mail | index | archive | help
That's a problem with proftpd. You should upgrade to latest release.
-Simon
On Thu, 23 Nov 2000 23:19:04 -0600 (CST), Ryan Thompson wrote:
>
>Hi all...
>
>As many admins are aware, configuring an FTP server through a firewall can
>be a major pain. It is a pain I thought I had mastered, though :-) My
>firewall setup such that I have everything inbound blocked but basic
>connectivity, and the protocols I wish to enable, including FTP.
>Outgoing connections are allowed to any network on (almost) any port, as
>this is not a user machine.
>
>Now, a few customers have been complaining that passive mode transfers
>(and directory listings) do not work, which has enticed me to look into
>the problem a bit further. We moved to proftpd from wuftpd a while back,
>and the problem seemed to start around that time.
>
>It appears as though, when initiating a transfer, very low port numbers
>are chosen:
>
>Script started on Thu Nov 23 22:55:46 2000
>Connected to ftp.sasknow.com.
>220 ProFTPD 1.2.0pre10 Server (SaskNow Technologies FTP Server) [ftp.sasknow.com]
>Name (ftp.sasknow.com:ryan): ryan
>331 Password required for ryan.
>Password:
>230 User ryan logged in.
>Remote system type is UNIX.
>Using binary mode to transfer files.
>ftp> ls
>500 EPSV not understood.
>227 Entering Passive Mode (207,195,92,131,15,135).
>^C
>receive aborted. Waiting for remote to finish abort.
>ftp> passive
>Passive mode: off; fallback to active mode: off.
>ftp> ls
>200 PORT command successful.
>150 Opening ASCII mode data connection for file list.
>
>< normal ls output >
>
>226 Transfer complete.
>ftp> quit
>221 Goodbye.
>
>Script done on Thu Nov 23 22:56:15 2000
>
>
>The following is a few snippets of my firewall configuration (not the
>whole thing, obviously):
>
>
># Basic connectivity rules ====================================================
>
># Allow established connections
>$fwcmd add 600 pass tcp from any to any established
>
># Allow outgoing connections originating from our subnet only
>$fwcmd add 700 pass tcp from ${sasknow} to any setup
>
># Explicitly block ICMP redirects
># $fwcmd add 1000 deny icmp from any to any icmptype 5
>
># Allow all other ICMP
>$fwcmd add 1100 pass icmp from any to any
>
># Open default traceroute port on udp only.
># The default port range starts at 33434
>$fwcmd add 1200 pass udp from any to any 33434-33500
>
># Individual protocol access ==================================================
>
># Completely open up standard FTP
>$fwcmd add 9900 pass tcp from any 20 to any
>$fwcmd add 9901 pass udp from any 20 to any
>$fwcmd add 9950 pass tcp from any to ${ftp} 21 setup
>
>
># More inbound protocols allowed....
>
>
># Everything else is denied by default!
>
>So, anything with a source port of 20 is let through, and control
>connections can be established on port 21. Standard FTP, therefore, works
>fine. Many clients nowadays have passive mode on by default, though (or
>are behind firewalls themselves), and it's passive mode that causes grief!
>Since all outbound connections are explicitly allowed by rule 0700, why
>isn't passive mode functional? From my testing, this problem spans more
>than a dozen different clients on several different networks (many of
>which are not restricted by a firewall themselves). Disabling the
>firewall rules, here, of course allows passive mode to work perfectly from
>anywhere.
>
>I've tried playing with the "passive ports" directive in
>/usr/local/etc/ftpaccess, and explicitly opening up those ports for
>inbound access, but to no avail. It seems a little strange to have to do
>this, anyway.
>
>Thanks for any suggestions!
>
>- Ryan
>
>--
> Ryan Thompson <ryan@sasknow.com>
> Network Administrator, Accounts
> Phone: +1 (306) 664-1161
>
> SaskNow Technologies http://www.sasknow.com
> #106-380 3120 8th St E Saskatoon, SK S7H 0W2
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-isp" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001124052030.8DFAC37B479>