From owner-freebsd-isp Thu Nov 23 21:20:34 2000 Delivered-To: freebsd-isp@freebsd.org Received: from anaconda.acceleratedweb.net (anaconda.acceleratedweb.net [209.51.164.130]) by hub.freebsd.org (Postfix) with SMTP id 8DFAC37B479 for ; Thu, 23 Nov 2000 21:20:30 -0800 (PST) Received: (qmail 22441 invoked by uid 106); 24 Nov 2000 05:24:07 -0000 Received: from adsl-151-202-94-118.nyc.adsl.bellatlantic.net (HELO sharky) (151.202.94.118) by anaconda.acceleratedweb.net with SMTP; 24 Nov 2000 05:24:07 -0000 From: "Simon" To: "freebsd-isp@freebsd.org" , "Ryan Thompson" Date: Fri, 24 Nov 2000 00:24:39 -0500 Reply-To: "Simon" X-Mailer: PMMail 2000 Professional (2.10.2010) For Windows 2000 (5.0.2195) In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Re: proftpd passive weirdness through firewall Message-Id: <20001124052030.8DFAC37B479@hub.freebsd.org> Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That's a problem with proftpd. You should upgrade to latest release. -Simon On Thu, 23 Nov 2000 23:19:04 -0600 (CST), Ryan Thompson wrote: > >Hi all... > >As many admins are aware, configuring an FTP server through a firewall can >be a major pain. It is a pain I thought I had mastered, though :-) My >firewall setup such that I have everything inbound blocked but basic >connectivity, and the protocols I wish to enable, including FTP. >Outgoing connections are allowed to any network on (almost) any port, as >this is not a user machine. > >Now, a few customers have been complaining that passive mode transfers >(and directory listings) do not work, which has enticed me to look into >the problem a bit further. We moved to proftpd from wuftpd a while back, >and the problem seemed to start around that time. > >It appears as though, when initiating a transfer, very low port numbers >are chosen: > >Script started on Thu Nov 23 22:55:46 2000 >Connected to ftp.sasknow.com. >220 ProFTPD 1.2.0pre10 Server (SaskNow Technologies FTP Server) [ftp.sasknow.com] >Name (ftp.sasknow.com:ryan): ryan >331 Password required for ryan. >Password: >230 User ryan logged in. >Remote system type is UNIX. >Using binary mode to transfer files. >ftp> ls >500 EPSV not understood. >227 Entering Passive Mode (207,195,92,131,15,135). >^C >receive aborted. Waiting for remote to finish abort. >ftp> passive >Passive mode: off; fallback to active mode: off. >ftp> ls >200 PORT command successful. >150 Opening ASCII mode data connection for file list. > >< normal ls output > > >226 Transfer complete. >ftp> quit >221 Goodbye. > >Script done on Thu Nov 23 22:56:15 2000 > > >The following is a few snippets of my firewall configuration (not the >whole thing, obviously): > > ># Basic connectivity rules ==================================================== > ># Allow established connections >$fwcmd add 600 pass tcp from any to any established > ># Allow outgoing connections originating from our subnet only >$fwcmd add 700 pass tcp from ${sasknow} to any setup > ># Explicitly block ICMP redirects ># $fwcmd add 1000 deny icmp from any to any icmptype 5 > ># Allow all other ICMP >$fwcmd add 1100 pass icmp from any to any > ># Open default traceroute port on udp only. ># The default port range starts at 33434 >$fwcmd add 1200 pass udp from any to any 33434-33500 > ># Individual protocol access ================================================== > ># Completely open up standard FTP >$fwcmd add 9900 pass tcp from any 20 to any >$fwcmd add 9901 pass udp from any 20 to any >$fwcmd add 9950 pass tcp from any to ${ftp} 21 setup > > ># More inbound protocols allowed.... > > ># Everything else is denied by default! > >So, anything with a source port of 20 is let through, and control >connections can be established on port 21. Standard FTP, therefore, works >fine. Many clients nowadays have passive mode on by default, though (or >are behind firewalls themselves), and it's passive mode that causes grief! >Since all outbound connections are explicitly allowed by rule 0700, why >isn't passive mode functional? From my testing, this problem spans more >than a dozen different clients on several different networks (many of >which are not restricted by a firewall themselves). Disabling the >firewall rules, here, of course allows passive mode to work perfectly from >anywhere. > >I've tried playing with the "passive ports" directive in >/usr/local/etc/ftpaccess, and explicitly opening up those ports for >inbound access, but to no avail. It seems a little strange to have to do >this, anyway. > >Thanks for any suggestions! > >- Ryan > >-- > Ryan Thompson > Network Administrator, Accounts > Phone: +1 (306) 664-1161 > > SaskNow Technologies http://www.sasknow.com > #106-380 3120 8th St E Saskatoon, SK S7H 0W2 > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message