RE: IPFW and the FTP protokoll

From: Oliver Fehr (oliver.fehr@ofehr.com)
Date: 01/09/01


Date: Tue, 9 Jan 2001 18:55:25 +0100
From: "Oliver Fehr" <oliver.fehr@ofehr.com>
To: Pär Thoren <t98pth@student.hk-r.se>, <freebsd-questions@freebsd.org>, <freebsd-security@freebsd.org>

this is because the remote server cannot initiate a connection to your
machine port 20 (which is ok).
you can use ftp -p to do what you want. this opens a passive ftp
connection without using port 20.

hope this helps
oliver

> -----Original Message-----
> From: owner-freebsd-security@FreeBSD.ORG
> [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Pär Thoren
> Sent: Tuesday, January 09, 2001 5:53 PM
> To: freebsd-questions@freebsd.org; freebsd-security@freebsd.org
> Subject: IPFW and the FTP protokoll
>
>
> Hi!
>
>
> I have fsbsd acting as a bridge with ipfw.
> Everything is working fine except the FTP protokoll.
>
> I the following to rules to allow ftp:
>
> # FTP-DATA.
> ${ipfw} add pass tcp from any to any 20 in via ${oif}
> # FTP.
> ${ipfw} add pass tcp from any to any 21 in via ${oif}
>
>
> To my knowledge ftp uses the ftp port (default 21) and
> ftpport -1 for data
> and the result for commands like 'ls'.
>
> The problem.
> I can log into a ftp server behind the firewall with no problem (port
> 21). But when I try to execute ls or another command it doesn´t work.
> Nothing happends.
>
> I used the program tcpflow to monitor the tcpinfo when using
> ftp when the firewall was open for all traffic. The result was:
>
> (10.0.0.1 ftp client)
> (192.168.1.1 ftp server behind firewall)
>
> ---------
> 10.0.0.1.01034-192.168.1.1.00021
>
> USER admin
> PASS ftppass
> SYST
> EPSV
> LIST
>
>
> ---------
> 192.168.1.1.00021-10.0.0.1.01034
>
> 220 ftp.behind.firewall FTP server (Version 6.00LS) ready.
> 331 Password required for admin.
> 230 User admin logged in.
> 215 UNIX Type: L8 Version: BSD-199506
> 229 Entering Extended Passive Mode (|||49175|)
> 150 Opening ASCII mode data connection for '/bin/ls'.
> 226 Transfer complete.
>
>
>
> --------
> 192.168.1.1.49175-10.0.0.1.01035
>
> -rw------- 1 admin wheel 3889 Jan 9 17:21 .bash_history
> -rw-r--r-- 1 admin wheel 264 Aug 17 19:04 .bash_profile
> -rw-r--r-- 1 admin wheel 628 Oct 19 12:51 .cshrc
> -rw------- 1 admin wheel 1882 Oct 25 14:03 .history
> -rw-r--r-- 1 admin wheel 299 Oct 19 12:51 .login
> -rw-r--r-- 1 admin wheel 160 Oct 19 12:51 .login_conf
> -rw------- 1 admin wheel 371 Oct 19 12:51 .mail_aliases
>
>
> The connections over port 21 seems fine but the result of
> 'ls' isn´t over
> port 20.
>
> Any ideas why?!
>
> /Pär
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • UPDATE Strange FTP problem
    ... 425 Can't build data connection: ... One suggestion is to use passive FTP. ... unless the client instructs the server to use PASV mode. ... As FTP uses dynamic port allocation, ...
    (Tru64-UNIX-Managers)
  • Re: FTP question
    ... |> I have one server that has had connectivity issues this past week ... |> directed at trying yet another ftp software. ... |> or an error about the socket connection. ... |> own modem and a Linksey router using Xp 64bit system. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Passive FTP
    ... ISA can't dynamically create a new port to communicate ... with the server (as it can with "regular" FTP with the FTP Application ... > Here log of connection. ...
    (microsoft.public.isa)
  • Telling when a Socket is Disconnected
    ... Im working on writing an FTP application in C# to get a good ... the FTP server opens a random ... port> 1024 and the client connects to that port. ... transfer is completed the server drops the connection on ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Accessing my home FTP... (SUCCESS !!!)
    ... I found out how to "free" the computer hosting the FTP server from the ... I just had to use a port scanner to find what ... > printers and internet connection under WinXP, ...
    (microsoft.public.inetserver.iis.security)