proftpd passive connections though firewall
- Thread starter existenz
- Start date
- Joined
- Feb 27, 2003
- Messages
- 8,509
Hello,
For FTP, we only have 20 and 21 open. I'm pretty sure I'm using PASV... could be wrong (not sure that makes any sense, but we do only have 20 and 21 open).
I believe you can specify the port range in /etc/proftpd.conf using:
PassivePorts 60000 65535
so play around with that.
John
For FTP, we only have 20 and 21 open. I'm pretty sure I'm using PASV... could be wrong (not sure that makes any sense, but we do only have 20 and 21 open).
I believe you can specify the port range in /etc/proftpd.conf using:
PassivePorts 60000 65535
so play around with that.
John
I added the port range but unless I used the entire ephemeral range I could not get it to work. Anyone set that to a lower block.
When in the passive mode that is only tcp out correct? If I could block incoming tcp connections on the ephemeral range in the firewall I would leave it all open.
When in the passive mode that is only tcp out correct? If I could block incoming tcp connections on the ephemeral range in the firewall I would leave it all open.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
What kind of firewalling are you using? If a specific firewall script, please let us know which one.
On our ipchains based firewalls we specifically open part of the ephemeral range (10 to 20 should be more than enough for all but the businest servers), but with iptables we use a setup that allows automatic opening and closing of ports as required.
Jeff
On our ipchains based firewalls we specifically open part of the ephemeral range (10 to 20 should be more than enough for all but the businest servers), but with iptables we use a setup that allows automatic opening and closing of ports as required.
Jeff
I tried limiting it to 10 ports in the ephemeral range but found that after the initial connection it would not work anymore.
I am using ipfw2. It is possible that I don't have the correct syntax in the proftpd.conf. PassivePorts 49152 65534
Don't you think it possible to use a stateful ruleset for the ephemeral range? The proftpd is the one picking and making the connection via that port range.
I am using ipfw2. It is possible that I don't have the correct syntax in the proftpd.conf. PassivePorts 49152 65534
Don't you think it possible to use a stateful ruleset for the ephemeral range? The proftpd is the one picking and making the connection via that port range.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
I know it's possible but I don't know how to do it with ipfw2; that's why I asked what firewall you were using.
Here's how we limit Proftpd to a range of ephemeral ports, using proftpd.conf:
We use this (for 20 ports), right under the "Port 21" line near the top of the file.
If you're running proftpd as standalone servertype, don't forget to restart it after making any changes to proftpd.conf.
Jeff
Here's how we limit Proftpd to a range of ephemeral ports, using proftpd.conf:
Code:
##### added JL to make passive transfer work
# use part of the IANA registered ephemeral port range
PassivePorts 49152 49171
####If you're running proftpd as standalone servertype, don't forget to restart it after making any changes to proftpd.conf.
Jeff
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Existenz, I'm having o problems using proftpd.conf to limit the ephemeral range as I've posted here already. What kind of problem are you having when you try?
JMStacey, I'd like very much to see your firewall serttings; if you'd like I'll show you mine for iptables and/or for ipchains.
Perhaps we can learn about techniques and ports to block/allow from each other.
Jeff
JMStacey, I'd like very much to see your firewall serttings; if you'd like I'll show you mine for iptables and/or for ipchains.
Perhaps we can learn about techniques and ports to block/allow from each other.
Jeff
Ok, take a look at this thread, its attached to it.
http://www.directadmin.com/forum/showthread.php?s=&postid=16259#post16259
Recommendations on my situation there greatly appreciated.
http://www.directadmin.com/forum/showthread.php?s=&postid=16259#post16259
Recommendations on my situation there greatly appreciated.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Thanks, Jon.
I found your other thread, and the attached file a few minutes after I posted.
Jeff
I found your other thread, and the attached file a few minutes after I posted.
Jeff
nobaloney
NoBaloney Internet Svcs - In Memoriam †
On iptables?
You've got it right.
On ipchains, we add these lines to /etc/sysconfig/ipchains:
# hole in firewall to allow passive ftp
-A input -s 0/0 -d 0/0 49152 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49153 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49154 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49155 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49156 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49157 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49158 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49159 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49160 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49161 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49162 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49163 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49164 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49165 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49166 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49167 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49168 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49169 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49170 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49171 -p tcp -y -j ACCEPT
and then restart ipchains.
And then add this line:
PassivePorts 49152 49171
to the <Global> section of /etc/proftpd.conf and restart proftpd.
Jeff
You've got it right.
On ipchains, we add these lines to /etc/sysconfig/ipchains:
# hole in firewall to allow passive ftp
-A input -s 0/0 -d 0/0 49152 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49153 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49154 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49155 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49156 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49157 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49158 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49159 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49160 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49161 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49162 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49163 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49164 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49165 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49166 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49167 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49168 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49169 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49170 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49171 -p tcp -y -j ACCEPT
and then restart ipchains.
And then add this line:
PassivePorts 49152 49171
to the <Global> section of /etc/proftpd.conf and restart proftpd.
Jeff