Re: Firewall and ftp service
From: tjk@tksoft.com
Date: 07/08/01
- Next message: Yonatan Bokovza: "FW: Small TCP packets == very large overhead == DoS?"
- Previous message: steve: "IPFilter/IPNat and rdr"
- In reply to: Axel Scheepers: "Firewall and ftp service"
- Next in thread: Crist J. Clark: "Re: Firewall and ftp service"
- Reply: Crist J. Clark: "Re: Firewall and ftp service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "tjk@tksoft.com" <tjk@tksoft.com> To: ascheepe@surf.iae.nl (Axel Scheepers) Date: Sun, 8 Jul 2001 03:01:54 -0700 (PDT)
I wanted to point out that port 20 is for ftp data and port 21 is
for ftp commands.
When an ftp connection is made, the client connects to the server at
port 21. All communications occur on that channel.
When the server needs to send data to the client, it opens a connection
to port 20 on the client. When it makes the connection, it allocates a
local port > 1024 for its local port.
When a client requests passive ftp, the server opens a random port >
1024 for listening. The client then opens a connection to that port.
With both passive and regular ftp data connections, the server has a
local port > 1024 open. The distinction is that with passive ftp the
server does a "listen()," opening a port for incoming connections. With
regular ftp, the server does a "connect()" and the client must open port
20 with "listen()."
I hope this clarifies what you should be looking at.
Good luck,
Troy
>
> Hi everybody,
> I hope I'm not being really off topic with this one but
> it's been troubling me for a while now.
> I'm looking for a way to provide acces to an ftpserver, my current
> network layout looks like this:
>
> Cable Modem ------> Gateway ---------> http/ftp server
> |
> |
> +------------> private http/ftp/sql server
> |
> |
> +------------> my workstation
>
> The gateway does natd and ipf since the other servers have private
> adresses. The problem now is that whenever I connect to my
> ftp servers from the outside, the server is unable to set up a
> data connection, because it wants to connect on a port > 1024, which
> is blocked by my firewall(and I want to leave it that way).
> Natd does the following:
> natd -redirect_port tcp 192.168.0.5:20 20 -redirect_port 192.168.0.5:21 21
> which redirects the traffic to my public ftp server.
>
> As I see it there can be 2 problems with this setup;
> 1) The server wants to initiate the data connection at a port > 1024 and/or
> 2) The server still somehow reports 192.168.0.5 as its address to the clients.
>
> I have tried to connect with the option passive is off, which I thought
> should force the server to stay on port 21 for tha data connection, but
> it didn't work. :(
> Can/will somebody help on getting this done the proper way ?
> I just want to use ipfilter, if possible, and I don't like to install
> a ftp proxy for this.
>
> Greetings,
> Axel Scheepers
>
> Unix System Administrator
> VIA NET.WORKS Nederland
> http://www.vianetworks.nl
> ascheepers@vianetworks.nl
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Yonatan Bokovza: "FW: Small TCP packets == very large overhead == DoS?"
- Previous message: steve: "IPFilter/IPNat and rdr"
- In reply to: Axel Scheepers: "Firewall and ftp service"
- Next in thread: Crist J. Clark: "Re: Firewall and ftp service"
- Reply: Crist J. Clark: "Re: Firewall and ftp service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
