[thelist] FTP, IP Filtering, and Firewalls

[Michael Pemberton]

Joshua Olson wrote:
> List,
> 
> I'm configuration FTP on a server and I want to maximally lock down the
> ports.  I opened the normal ports for FTP, 20 and 21, and found that this
> works very well so long as the client is not behind a firewall and was
> therefore able to use Active Mode FTP transfer.  But, if they are behind a
> firewall, am I correct in assuming that they MUST be able to use Passive
> Mode, which means that the server needs to have some ports open in the upper
> range?  If so, is there an easy way to configure the open ports using the IP
> Filtering OTHER than enumerate each possible port one at a time?

Many firewalls on the market today will let you work with ranges of 
ports instead of individual ports.

Most ftp servers allow you to specify the ports that are allowed for 
PASV transfers.  Some will even go so far as to allow you to set the IP.

This is required so that you can open, and port forward where needed, 
the required ports.

The same goes for some clients.  This means that if you know the client, 
and there are willing to try new things, it is possible that they might 
se a client that can be configured to work with your/their firewall.

-- 
Michael Pemberton
evolt at mpember.net.au