Re: Firewall and ftp service

From: Axel Scheepers (
Date: 07/09/01

Date: Mon, 9 Jul 2001 09:29:43 +0200
From: Axel Scheepers <>
To: freebsd-security@FreeBSD.ORG

Thank you all for your help! ;-)
I do use kind of a mix of ipf/ipfw/natd at the moment, but that was
bacause I wanted it working as fast as possible (Just switched
from modem to cable ;-) Now my first "Wow, I want to do ... and ... and .."
feelings are over I want to figure out a nice clean way for doing it.
So thank you all for your great responses, you've given me a lot of starting
points (ipnat instead of natd) and help (ftp howto ;-)
Axel Scheepers

On Sat, Jul 07, 2001 at 11:38:49AM -0700, Crist J. Clark wrote:
> On Sat, Jul 07, 2001 at 03:32:47PM +0200, Axel Scheepers wrote:
> I'll say it again, FTP is eeeevul.
> > Hi everybody,
> > I hope I'm not being really off topic with this one but
> > it's been troubling me for a while now.
> > I'm looking for a way to provide acces to an ftpserver, my current
> > network layout looks like this:
> >
> > Cable Modem ------> Gateway ---------> http/ftp server
> > |
> > |
> > +------------> private http/ftp/sql server
> > |
> > |
> > +------------> my workstation
> >
> > The gateway does natd and ipf since the other servers have private
> > adresses.
> natd(8) and ipf(8) or natd(8) and ipfw(8)? I'd recommend either using,
> natd(8) and ipfw(8) or ipnat(8) and ipf(8), and not mixing and
> matching. There are sometimes reasons to run ipf(8) and ipfw(8) at the
> same time, but when you need to proxy FTP, there is too much room for
> confusion and weird interactions.
> > The problem now is that whenever I connect to my
> > ftp servers from the outside, the server is unable to set up a
> > data connection, because it wants to connect on a port > 1024, which
> > is blocked by my firewall(and I want to leave it that way).
> > Natd does the following:
> > natd -redirect_port tcp 20 -redirect_port 21
> > which redirects the traffic to my public ftp server.
> >
> > As I see it there can be 2 problems with this setup;
> > 1) The server wants to initiate the data connection at a port > 1024 and/or
> > 2) The server still somehow reports as its address to the clients.
> >
> > I have tried to connect with the option passive is off, which I thought
> > should force the server to stay on port 21 for tha data connection, but
> > it didn't work. :(
> OK, one more time on how FTP generally works. Everyone knows the
> client connects to the server on port 21. That's easy. Now as for the
> data connection, there are two modes, PORT (active) and PASV
> (passive). In PORT, the client tells the server what port it will be
> listening on and the _server_ then (usually) connects to the _client_
> with a source port of 20 and the arbitrary high port ("ephermeral")
> the client gave the server as the destination. In PASV, the server
> tells the client what port it will be listening on, usually an
> arbitrary high, ephermeral port, and the client then connects with a
> ephemeral port source to the ephemeral destination. And we should
> point out that in both modes the server and client are passing not
> only the port number back and forth, but actually the IP address to
> connect to as well.
> So, the moral of the story is that FTP is an absolute bitch to work
> with if you have a firewall or NAT'ing gateway between the client and
> server. You need an application layer proxy for the
> connection. Redirection alone will not cut it.
> > Can/will somebody help on getting this done the proper way ?
> > I just want to use ipfilter, if possible, and I don't like to install
> > a ftp proxy for this.
> Oops. You are really using ipf(8). IPFilter has an FTP proxy
> built-in. However, use ipnat(8) and not natd(8) with ipf(8).
> --
> Crist J. Clark

Met vriendelijke groet,
Axel Scheepers
phone 	+31 40 239 33 93
fax 	+31 40 239 33 11
To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: iptables blocking ftp clients
    ... > I am running a zope FTP server on port 8021 on a host that is running ... > access the server fine, so there is no problem with the server. ... > I expect this to handle ftp requests made externally from a client ...
  • Re: [fw-wiz] Variations of firewall ruleset bypass via FTP
    ... attack" isn't limited to "class of attack against FTP." ... > Client connects to server and logs on normally, ... > Client: CWD PORT 1,2,3,4,5,6\r\n ...
  • Re: FTP Server setup... Im so close!
    ... > I have installed the Internet Information Services, etc, and have the FTP ... Your external client is trying to use Passive Mode. ... Since your server is behind NAT, ...
  • Re: Unable to print to networked printer - get access denied messa
    ... Check the permissions on the server assuming the client has a true RPC ... How is the Standard TCP/IP port configured for the device? ...
  • Re: interfaces lo:1 lo:2 lo:3? (for remote ssh tunnels)
    ... That's the problem tunneling (port forwarding) solves. ... >>can't get past the client firewall. ... > I don't understand why the server would be making the ... server initiates another connection to the client -- in this ...