Date: Sun, 8 Jul 2001 03:01:54 -0700 (PDT) From: "tjk@tksoft.com" <tjk@tksoft.com> To: ascheepe@surf.iae.nl (Axel Scheepers) Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall and ftp service Message-ID: <200107081001.DAA07513@smtp3.tksoft.com> In-Reply-To: <20010707153247.A78448@surf.iae.nl> from "Axel Scheepers" at Jul 07, 2001 03:32:47 PM
next in thread | previous in thread | raw e-mail | index | archive | help
I wanted to point out that port 20 is for ftp data and port 21 is for ftp commands. When an ftp connection is made, the client connects to the server at port 21. All communications occur on that channel. When the server needs to send data to the client, it opens a connection to port 20 on the client. When it makes the connection, it allocates a local port > 1024 for its local port. When a client requests passive ftp, the server opens a random port > 1024 for listening. The client then opens a connection to that port. With both passive and regular ftp data connections, the server has a local port > 1024 open. The distinction is that with passive ftp the server does a "listen()," opening a port for incoming connections. With regular ftp, the server does a "connect()" and the client must open port 20 with "listen()." I hope this clarifies what you should be looking at. Good luck, Troy > > Hi everybody, > I hope I'm not being really off topic with this one but > it's been troubling me for a while now. > I'm looking for a way to provide acces to an ftpserver, my current > network layout looks like this: > > Cable Modem ------> Gateway ---------> http/ftp server > | > | > +------------> private http/ftp/sql server > | > | > +------------> my workstation > > The gateway does natd and ipf since the other servers have private > adresses. The problem now is that whenever I connect to my > ftp servers from the outside, the server is unable to set up a > data connection, because it wants to connect on a port > 1024, which > is blocked by my firewall(and I want to leave it that way). > Natd does the following: > natd -redirect_port tcp 192.168.0.5:20 20 -redirect_port 192.168.0.5:21 21 > which redirects the traffic to my public ftp server. > > As I see it there can be 2 problems with this setup; > 1) The server wants to initiate the data connection at a port > 1024 and/or > 2) The server still somehow reports 192.168.0.5 as its address to the clients. > > I have tried to connect with the option passive is off, which I thought > should force the server to stay on port 21 for tha data connection, but > it didn't work. :( > Can/will somebody help on getting this done the proper way ? > I just want to use ipfilter, if possible, and I don't like to install > a ftp proxy for this. > > Greetings, > Axel Scheepers > > Unix System Administrator > VIA NET.WORKS Nederland > http://www.vianetworks.nl > ascheepers@vianetworks.nl > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107081001.DAA07513>