Re: Ports necessary for running a FTP-server?
From: bargepole (jbhur@hotmail.com)Date: 01/16/02
- Next message: bargepole: "Re: WinRoute Pro dyamic IP address"
- Previous message: rich cea: "Re: Having both SSL -AND- VPN..."
- In reply to: Bjorn: "Re: Ports necessary for running a FTP-server?"
- Next in thread: Charles Newman: "Re: Ports necessary for running a FTP-server?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "bargepole" <jbhur@hotmail.com> Date: Wed, 16 Jan 2002 00:34:06 GMT
The FTP server should be listening on the LAN IP address of the Winroute
gateway. The port mapping should redirect FTP traffic to the Winroute LAN
address as the destination IP and the listen IP should be <Unspecified>.
"Bjorn" <bjornxon@hotmail.com> wrote in message
news:7h%08.14000$l93.3021320@newsb.telia.net...
> Hi!
> But how do I Port Map when the FTP-server is on the SAME computer as the
> WinRoutePro firewall? It has an dynamic IP-adress too so I dont know how
to
> set that port mapping rule. If it was on another server I could have Port
> Mapped to that IP-adress but what do I do in a case like this? Should I
> realy need to portmap?
>
> Brgds
> /Bjorn
>
>
>
> "bargepole" <jbhur@hotmail.com> wrote in message
> news:GIa_7.190777$KT.47024587@news4.rdc1.on.home.com...
> > It's hard to say, Frank.
> >
> > A default Winroute install, with no rules, will allow a Winroute client
to
> > connect to an Internet FTP server using PORT or PASV mode. That same
> default
> > install will not allow an Internet client to connect to a Winroute
> protected
> > FTP server. Add a port mapping for TCP port 21 only and, without any
> rules,
> > the Winroute protected FTP server is now accessible from an Internet
> client
> > using PORT or PASV mode.
> >
> > I think much of the FTP trouble people experience with Winroute is from
> the
> > rules they impose. Depending on what sort of scheme one uses to packet
> > filter, I'd guess not including a rule that allows established
connections
> > could screw things up. I've seen filter schemes where every allowed TCP
> > service is split into "establishing" (SYN flag) and "established"
> > communication pairs. This may be done to log the initial connection to a
> > service but not log the subsequent traffic. So, forgetting a !SYN rule
for
> > FTP would kill communication. In the case of an Internet FTP client
using
> > PORT mode connecting to a Winroute protected FTP server, the TCP port 20
> > traffic from the client never contains packets with the SYN flag set.
All
> > the inbound traffic is !SYN. But as I said above, this traffic is
> implicitly
> > allowed in a default Winroute install.
> >
> > "Frank S" <fsexton@qwest.net> wrote in message
> > news:Ho9_7.182447$m05.15409826@bin5.nnrp.aus1.giganews.com...
> > > > Because Winroute is so configurable, it is possible to
> > > > inhibit the intended default operation for FTP communication
> > > > (through filtering, for example).
> > >
> > > Would you consider the act of not making a !SYN rule for ftp to be
> > > inhibiting the intended default operation?
> > >
> > > -Frank
> > >
> > >
> >
> >
>
>
- Next message: bargepole: "Re: WinRoute Pro dyamic IP address"
- Previous message: rich cea: "Re: Having both SSL -AND- VPN..."
- In reply to: Bjorn: "Re: Ports necessary for running a FTP-server?"
- Next in thread: Charles Newman: "Re: Ports necessary for running a FTP-server?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
