Re: ftp through firewall

From: Brian Phillips (piconote_at_onetel.com)
Date: 05/29/05

  • Next message: itoii 3uvu: "defeating firewalls made easy" 
    Date: Sun, 29 May 2005 11:40:45 +0100

    In message <MPG.1d0298bd1a78200b989847@news.east.earthlink.net>, Casey
    <Casey@notspecified.net> writes

    <snip>

    >Setting up a firewall for FTP connections is a little awkward.
    >I am not familiar with IPCop but this is how I have my Sygate setup.
    >
    >Advanced rules
    >1. Allow Filzilla outgoing TCP connection to remote port 21
    > from local ports 1025-3000.
    >2. Allow Filzilla incoming TCP connection from remote port 20
    > to local ports 1025-3000.
    >(note: rules 1 and 2 will accomodate active ftp. They are enabled
    >all the time.)
    >3. Allow Filezilla outgoing TCP connection to remote ports
    > 1025-65535 from local ports 1025-3000.
    >(Note: rule 3 will accomodate passive ftp--which I seldom use.
    >Rule 3 is normally disabled. If I cannot make an FTP download,
    >then I temporarily enable rule 3 for the download. After the
    >download, I disable rule 3)
    >You might find this helpful:
    >Active FTP vs Passive FTP
    >http://slacksite.com/other/ftp.html
    >Casey

    Thanks Casey

    I followed your first two rules to the letter and ftp transfers worked.

    I had experimented earlier with a similar arrangement but using just
    ports 5050 and 5051 rather than 1025-3000. My arrangement did not
    work.

    Since your arrangement does work, I then tried some experiments and my
    conclusion is that 25 ports is the minimum that will work on my system,
    and the 25 ports can apparently be almost anywhere. Thus I find that
    1025-1050 works and so does 2025-2050.

    I also find that 1025-1049 does not work.

    What puzzles me is why it is necessary to have more than just one port,
    since the protocol seems to be met by just one.

    Anyhow I now have a working system and, having spent many hours trying
    unsuccessfully in the past, I am very grateful to you.

    Thanks also Duane. I think that I had not made it clear that I was
    concerned only with an ftp client and not with an ftp server.

    Regards

    Brian

  • Next message: itoii 3uvu: "defeating firewalls made easy"

    Relevant Pages

    • Re: Newbie question about ports.
      ... Can you do a CVSup to update your ports via http? ... Cvsup does not support http, but neither does it use ftp (see man cvsup, ... openable through your firewall. ...
      (freebsd-questions)
    • RE: FTP Server on SBS 2003
      ... When I access the ftp site ... In the properties the ftp is set to "all assigned ports" should this ... > You connect the SBS to a third party Router and forward port 21 to the SBS ... The network administrator of the server network can consult the ...
      (microsoft.public.windows.server.sbs)
    • RE: Passive FTP
      ... Some FTP servers are able to set the passive ports he can use, ... Onderwerp: Passive FTP ... Dit E-mail bericht is slechts bestemd voor de persoon aan wie het is ...
      (Security-Basics)
    • Re: cant connect to ftp server
      ... Most of the other FTP server ports are intended to run standalone -- ... that is the ftpd process runs continually and manages all of the ... standalone FTP daemon -- only one process at a time can take control ...
      (freebsd-questions)
    • Re: configure ftpd port range
      ... >> runs in order to enable ftp access to and from my machine. ... > standard FreeBSD ftpd. ... > the base ports. ... "If dhclientis used to set the hostname via DHCP, ...
      (freebsd-questions)