[ale] Linux 2.2.19 IPCHAINS Firewall + FTP woes

Jason Day jasonday at worldnet.att.net
Thu Jul 17 12:10:48 EDT 2003


On Wed, Jul 16, 2003 at 04:43:54PM -0400, J.M. Taylor wrote:
> If I remember correctly, passive FTP is going to be nigh on impossible
> with IP Chains, or rather, without connection tracking.  You're looking at
> unblocking many high ports to allow FTP to bump you up to a high numbered
> data port...afaik, it just isn't going to work out very well.
> 
> I *think* if you do active FTP it's 20 for the data port and 21 for the
> connection but I've not actually ever set up anything that way. :|

Yes, this is correct.  The client connects to the command chanel (port
21).  When the client issues a command that requires data, such as "ls",
then a data connection is opened.  For active ftp, when the client sends
the ls command, it also creates a socket that listens for the data on a
random, high port, and sends a PORT command to the server, telling the
server what port it is listening on.  The server then opens a connection
to the data port on the client, with a source port of 20, and sends the
data.

Passive FTP was designed to allow ftp *clients* behind a firewall to
function.  For passive ftp, the client sends the PASV command in
addition to a data command (e.g. ls).  The server then creates a socket
on a random, high port, and sends the port back to the client on the
command channel.  The client then initiates a connection to the data
port on the server, and the server sends the data.  See RFC 959 for more
details.

I *think* ip_masq_ftp only helps masquerading ftp clients behind the
firewall.  You might be able to use an active ftp server by allowing
connections with a source port of 20 from your ftp server out of the
firewall, but I've never tried this.  Supporting passive ftp would be
harder, because you would have to forward incoming, high-port
connections to your ftp server.  Without stateful connection tracking,
you might as well just put the ftp server outside the firewall.

Jason
-- 
Jason Day                                       jasonday at
http://jasonday.home.att.net                    worldnet dot att dot net
 
"Of course I'm paranoid, everyone is trying to kill me."
    -- Weyoun-6, Star Trek: Deep Space 9
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list