[thelist] FTP, IP Filtering, and Firewalls

raditha dissanayake jabber at raditha.com
Fri May 28 11:04:51 CDT 2004


Joshua Olson wrote:

>List,
>
>I'm configuration FTP on a server and I want to maximally lock down the
>ports.  I opened the normal ports for FTP, 20 and 21, and found that this
>works very well so long as the client is not behind a firewall and was
>therefore able to use Active Mode FTP transfer.  But, if they are behind a
>firewall, am I correct in assuming that they MUST be able to use Passive
>Mode, which means that the server needs to have some ports open in the upper
>range?  If so, is there an easy way to configure the open ports using the IP
>Filtering OTHER than enumerate each possible port one at a time?
>  
>
This of course is the problem with FTP, when there are firewalls at both 
ends it becomes a major pain. Since the data connection is a fresh 
connection and not merely the incoming portion of a previously 
established connection many firewalls through it out. Since it's pretty 
hard to distinguish a dataconnection from any other connect you might 
not want to just open up the ports. A couple of years ago I so a 
IPTables recipe that seemed to work well. If you look it up in an 
IPTables group you might find the solution.

A painless way of course would be to use SFTP, if port 21 is open no 
reason why 22 cannot be open :-)

All the best

>  
>
-- 

Raditha Dissanayake.
---------------------------------------------
http://www.raditha.com/megaupload/upload.php
Sneak past the PHP file upload limits.



More information about the thelist mailing list