[TCLUG] firewall friendly ftp?

Thu Sep 6 17:57:41 CDT 2001

Yes, it's BSD. I still hang out here because I figure that even if I run
BSD at home, I'm still too fond of Linux (tho the zealotry is a bit much
some times) to leave. And this problem should be OS-agnostic anyway.

I'm not sure about the client but I'm pretty sure port 20 isn't used by
the server. [1] I've never seen the server start listening here and the
source doesn't indicate that it should. In general, if a server is
accomodate active and passive clients then it must be able to accept
connections on any of a set of ports. In my case it's restricted to
49152-49172. I'm just trying to go to the next step where the ports are
closed by default and the server can kick off an external command to open
a given port for an ip for limited time. It *seems* pretty simple and I
just don't understand why I haven't run across it elsewhere.

Joshua Jore
Minneapolis Ward 3, precinct 10
  "The irony of this man being imprisoned in the United States and longing
to return to once-Communist Russia so he can regain his right to free
speech is simply staggering." - someone else

[1]
The protocol specifies that control occurs on port 21 and that via PORT,
LPRT, EPRT, PASV, LPSV, EPSV each machine may request a data connection.
The PORT series is a message to the other machine telling it to connect to
a given IP+port. This is also called 'active' mode. Conversely, PASV asks
the other side to supply an IP+port which is then connected to. There
isn't anything going on here that says that port 20 is what will be passed
in PORT or returned from PASV.

On Thu, 6 Sep 2001, Austad, Jay wrote:

> So it's solaris or BSD?
>
> In any case, I just opened ports 20 and 21 on my firewall to my ftp server,
> and I can ftp into it just fine from the outside.  You opened both of those
> ports right?
>
>
>
>
> > -----Original Message-----
> > From: Joshua b. Jore [mailto:josh at greentechnologist.org]
> > Sent: Thursday, September 06, 2001 4:17 PM
> > To: 'tclug-list at mn-linux.org'
> > Subject: RE: [TCLUG] firewall friendly ftp?
> >
> >
> > Well... it's ipf on the same box as the ftp server. I think I
> > can patch my existing ftp server so it makes external calls
> > to open the right port to the right IP but I figured it'd be
> > easier to just use something that already does that.
> >
> > Joshua Jore
> > Minneapolis Ward 3, precinct 10
> >   "The irony of this man being imprisoned in the United
> > States and longing to return to once-Communist Russia so he
> > can regain his right to free speech is simply staggering." -
> > someone else
> >
> > On Thu, 6 Sep 2001, Austad, Jay wrote:
> >
> > > What type of firewall are you using?  Linux box, PIX, Firewall-1,
> > > Netscreen.... ?
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Joshua b. Jore [mailto:josh at greentechnologist.org]
> > > > Sent: Thursday, September 06, 2001 2:51 PM
> > > > To: tclug-list at mn-linux.org
> > > > Subject: [TCLUG] firewall friendly ftp?
> > > >
> > > >
> > > > I've tried searching around for a bit and what I'm finding isn't
> > > > relevant. I'm trying to make my ftp server make nice with my
> > > > firewall. In reading the ftp spec, it says that on PASV, EPSV or
> > > > LPSV the ftp server should start listening somewhere and
> > then tell
> > > > the client to come and get it. Do you know of anything
> > that can say,
> > > > make exernal calls so I can open the right port on the
> > firewall on
> > > > the fly? I figured I'd clean the open ports up
> > independantly. This
> > > > doesn't seem like a unique idea, I just haven't seen anyone talk
> > > > about a solution.
> > > >
> > > > Ideas?
> > > >
> > > > Joshua Jore
> > > > Minneapolis Ward 3, precinct 10
> > > >   "The irony of this man being imprisoned in the United
> > States and
> > > > longing to return to once-Communist Russia so he can regain his
> > > > right to free speech is simply staggering." - someone else
> > > >
> > > > _______________________________________________
> > > > tclug-list mailing list
> > > > tclug-list at mn-linux.org
> > > > https://mailman.mn-> linux.org/mailman/listinfo/tclug-list
> > > >
> > > _______________________________________________
> > > tclug-list mailing list
> > > tclug-list at mn-linux.org
> > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > >
> >
> > _______________________________________________
> > tclug-list mailing list
> > tclug-list at mn-linux.org
> > https://mailman.mn-> linux.org/mailman/listinfo/tclug-list
> >
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>