[TCLUG] firewall friendly ftp?

Fri Sep 7 13:24:30 CDT 2001

For ftp to work, you must open both 20 and 21.  20 doesn't start listening
until you initiate a data transfer.  Try it, it will work.

> -----Original Message-----
> From: Joshua b. Jore [mailto:josh at greentechnologist.org] 
> Sent: Thursday, September 06, 2001 5:58 PM
> To: 'tclug-list at mn-linux.org'
> Subject: RE: [TCLUG] firewall friendly ftp?
> 
> 
> Yes, it's BSD. I still hang out here because I figure that 
> even if I run BSD at home, I'm still too fond of Linux (tho 
> the zealotry is a bit much some times) to leave. And this 
> problem should be OS-agnostic anyway.
> 
> I'm not sure about the client but I'm pretty sure port 20 
> isn't used by the server. [1] I've never seen the server 
> start listening here and the source doesn't indicate that it 
> should. In general, if a server is accomodate active and 
> passive clients then it must be able to accept connections on 
> any of a set of ports. In my case it's restricted to 
> 49152-49172. I'm just trying to go to the next step where the 
> ports are closed by default and the server can kick off an 
> external command to open a given port for an ip for limited 
> time. It *seems* pretty simple and I just don't understand 
> why I haven't run across it elsewhere.
> 
> Joshua Jore
> Minneapolis Ward 3, precinct 10
>   "The irony of this man being imprisoned in the United 
> States and longing to return to once-Communist Russia so he 
> can regain his right to free speech is simply staggering." - 
> someone else
> 
> [1]
> The protocol specifies that control occurs on port 21 and 
> that via PORT, LPRT, EPRT, PASV, LPSV, EPSV each machine may 
> request a data connection. The PORT series is a message to 
> the other machine telling it to connect to a given IP+port. 
> This is also called 'active' mode. Conversely, PASV asks the 
> other side to supply an IP+port which is then connected to. 
> There isn't anything going on here that says that port 20 is 
> what will be passed in PORT or returned from PASV.
> 
> On Thu, 6 Sep 2001, Austad, Jay wrote:
> 
> > So it's solaris or BSD?
> >
> > In any case, I just opened ports 20 and 21 on my firewall to my ftp 
> > server, and I can ftp into it just fine from the outside.  
> You opened 
> > both of those ports right?
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Joshua b. Jore [mailto:josh at greentechnologist.org]
> > > Sent: Thursday, September 06, 2001 4:17 PM
> > > To: 'tclug-list at mn-linux.org'
> > > Subject: RE: [TCLUG] firewall friendly ftp?
> > >
> > >
> > > Well... it's ipf on the same box as the ftp server. I think I can 
> > > patch my existing ftp server so it makes external calls 
> to open the 
> > > right port to the right IP but I figured it'd be easier 
> to just use 
> > > something that already does that.
> > >
> > > Joshua Jore
> > > Minneapolis Ward 3, precinct 10
> > >   "The irony of this man being imprisoned in the United 
> States and 
> > > longing to return to once-Communist Russia so he can regain his 
> > > right to free speech is simply staggering." - someone else
> > >
> > > On Thu, 6 Sep 2001, Austad, Jay wrote:
> > >
> > > > What type of firewall are you using?  Linux box, PIX, 
> Firewall-1, 
> > > > Netscreen.... ?
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Joshua b. Jore [mailto:josh at greentechnologist.org]
> > > > > Sent: Thursday, September 06, 2001 2:51 PM
> > > > > To: tclug-list at mn-linux.org
> > > > > Subject: [TCLUG] firewall friendly ftp?
> > > > >
> > > > >
> > > > > I've tried searching around for a bit and what I'm 
> finding isn't 
> > > > > relevant. I'm trying to make my ftp server make nice with my 
> > > > > firewall. In reading the ftp spec, it says that on 
> PASV, EPSV or 
> > > > > LPSV the ftp server should start listening somewhere and
> > > then tell
> > > > > the client to come and get it. Do you know of anything
> > > that can say,
> > > > > make exernal calls so I can open the right port on the
> > > firewall on
> > > > > the fly? I figured I'd clean the open ports up
> > > independantly. This
> > > > > doesn't seem like a unique idea, I just haven't seen 
> anyone talk 
> > > > > about a solution.
> > > > >
> > > > > Ideas?
> > > > >
> > > > > Joshua Jore
> > > > > Minneapolis Ward 3, precinct 10
> > > > >   "The irony of this man being imprisoned in the United
> > > States and
> > > > > longing to return to once-Communist Russia so he can 
> regain his 
> > > > > right to free speech is simply staggering." - someone else
> > > > >
> > > > > _______________________________________________
> > > > > tclug-list mailing list
> > > > > tclug-list at mn-linux.org
> > > > > https://mailman.mn-> linux.org/mailman/listinfo/tclug-list
> > > > >
> > > > _______________________________________________
> > > > tclug-list mailing list
> > > > tclug-list at mn-linux.org 
> > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > >
> > >
> > > _______________________________________________
> > > tclug-list mailing list
> > > tclug-list at mn-linux.org
> > > https://mailman.mn-> linux.org/mailman/listinfo/tclug-list
> > >
> > _______________________________________________
> > tclug-list mailing list
> > tclug-list at mn-linux.org 
> > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> >
> 
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org 
> https://mailman.mn-> linux.org/mailman/listinfo/tclug-list
> 