Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Opening firewall for ftp

Hybrid View

  1. #1

    Opening firewall for ftp

    I'm trying to get my server open so I can ftp it to put stuff on my web site. I thought ftp only used ports 20 (data) and 21 (control), but I've opened those ports and it still isn't fully functional. I can ftp to it but when I try to put a file, it just sits there. I have to tell it to accept all packets from my computer to get it to work. I know the FreeBSD firewall is a little different, but if you're good with networking, you should be able to read basic ipfw commands without a tutorial. Here's my set of firewall rules on the computer:

    Code:
    ipfw -f flush
    ipfw add pass all from 127.0.0.1 to 127.0.0.1
    ipfw add pass tcp from any to ${ip} 20 setup
    ipfw add pass tcp from any to ${ip} 21 setup
    [similar lines to open other ports]
    ipfw add pass tcp from ${subnet} to ${ip} 23 setup
    ipfw add deny tcp from any to ${ip} setup
    The default is set to accept by the way. ${ip} is set to the machine's ip and ${subnet} is set to the subnet of the whole school.

  2. #2

    Re: Opening firewall for ftp

    You must allow udp traffic as well.

  3. #3

    Re: Opening firewall for ftp

    ftp uses udp??

  4. #4

    Re: Opening firewall for ftp

    Udp traffic is allowed. As you can see, there is no rule that regards udp and the default rule is set to accept.

  5. #5

    Re: Opening firewall for ftp

    Feztaa: seems you're right, it doesn't.

    Kenshi: Looks like your client uses passive mode by default. Strange, but it's the only explanation I could find based on the info I have. In passive mode it's the client that tries to connect to a high number port on the server (which is blocked by the server's firewall). You can quickly test it by telling your client to use active mode.


    This should help you: http://www.slacksite.com/other/ftp.html

  6. #6

    Re: Opening firewall for ftp

    This is from the following site and may be of help:

    http://www.sns.ias.edu/~jns/security...les/index.html

    its IPTABLES, but you could adapt it.

    ## FTP
    # Allow ftp outbound.
    iptables -A INPUT *-i $IFACE -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $IFACE -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
    # Now for the connection tracking part of ftp. This is discussed more completely in my section
    # on connection tracking to be found here.
    # 1) Active ftp.
    # This involves a connection INbound from port 20 on the remote machine, to a local port
    # passed over the ftp channel via a PORT command. The ip_conntrack_ftp module recognizes
    # the connection as RELATED to the original outgoing connection to port 21 so we don't
    # need NEW as a state match.
    iptables -A INPUT *-i $IFACE -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -o $IFACE -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
    # 2) Passive ftp.
    # This involves a connection outbound from a port >1023 on the local machine, to a port >1023
    # on the remote machine previously passed over the ftp channel via a PORT command. The
    # ip_conntrack_ftp module recognizes the connection as RELATED to the original outgoing
    # connection to port 21 so we don't need NEW as a state match.
    iptables -A INPUT *-i $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \
    *-m state --state ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \
    *-m state --state ESTABLISHED,RELATED -j ACCEPT


  7. #7

    Re: Opening firewall for ftp


    Kenshi: Looks like your client uses passive mode by default. Strange, but it's the only explanation I could find based on the info I have. In passive mode it's the client that tries to connect to a high number port on the server (which is blocked by the server's firewall). You can quickly test it by telling your client to use active mode.
    It was using passive mode by default. Well if that don't beat all... Case solved. But to make things easier for me, does anyone know how to set the default mode (if you can)? Also, which mode do Windows and Linux clients use by default? If Windows especially doesn't use active mode by default, then the students will never be able to figure out what's wrong.

  8. #8

    Re: Opening firewall for ftp




    It was using passive mode by default. Well if that don't beat all... Case solved. But to make things easier for me, does anyone know how to set the default mode (if you can)? Also, which mode do Windows and Linux clients use by default? If Windows especially doesn't use active mode by default, then the students will never be able to figure out what's wrong.
    According to the RFC active is default, IIRC. All clients are standards compliant : , buhahahahahahaha

  9. #9
    Senior Member
    Join Date
    May 2001
    Posts
    411

    Re: Opening firewall for ftp

    I use IPFW in FreeBSD and have no problems with FTP. *I don't think you need to pass UDP just for FTP. *Here is my firewall script:

    # Firewall rules

    * *# Define the firewall command (as in /etc/rc.firewall) for easy reference.
    * *fwcmd="/sbin/ipfw -q"

    * *# Force a flushing of the current rules before we reload.
    * *$fwcmd -f flush

    * *# Divert all packets through the tunnel interface.
    * *$fwcmd add divert natd all from any to any via dc0

    * *# Allow all data from my network card and localhost.
    * *$fwcmd add allow ip from any to any via lo0
    * *$fwcmd add allow ip from any to any via dc1

    * *# Allow all connections that I initiate.
    * *$fwcmd add allow tcp from any to any out xmit dc0 setup

    * *# Once connections are made, allow them to stay open.
    * *$fwcmd add allow tcp from any to any via dc0 established

    * *# Everyone on the internet is allowed to connect to the following
    * *$fwcmd add allow tcp from any to any 21 setup
    * *$fwcmd add allow tcp from any to any 22 setup
    * *$fwcmd add allow tcp from any to any 80 setup
    * *$fwcmd add allow tcp from any to any 5500 setup
    * *$fwcmd add allow tcp from any to any 5800-5810 setup
    * *$fwcmd add allow tcp from any to any 5900-5910 setup

    * *# Allow all IP to and from kill.taliban.com for IPSec.
    * *$fwcmd add allow esp from any to xxx.xxx.xxx.xxx via dc0
    * *$fwcmd add allow esp from any to xxx.xxx.xxx.xxx via dc0
    * *$fwcmd add allow ah from any to xxx.xxx.xxx.xxx via dc0
    * *$fwcmd add allow ah from any to xxx.xxx.xxx.xxx via dc0
    * *$fwcmd add allow esp from xxx.xxx.xxx.xxx to any via dc0
    * *$fwcmd add allow esp from xxx.xxx.xxx.xxx to any via dc0
    * *$fwcmd add allow ah from xxx.xxx.xxx.xxx to any via dc0
    * *$fwcmd add allow ah from xxx.xxx.xxx.xxx to any via dc0

    * *# This sends a RESET to all ident packets.
    * *$fwcmd add reset log tcp from any to any 113 in recv dc0

    * *# Allow outgoing DNS queries ONLY to the specified servers.
    * *$fwcmd add allow udp from any to xxx.xxx.xxx.xxx 53 out xmit dc0
    * *$fwcmd add allow udp from any to xxx.xxx.xxx.xxx 53 out xmit dc0
    * *$fwcmd add allow udp from any to xxx.xxx.xxx.xxx 53 out xmit dc0

    * *# Allow them back in with the answers.
    * *$fwcmd add allow udp from xxx.xxx.xxx.xxx 53 to any in recv dc0
    * *$fwcmd add allow udp from xxx.xxx.xxx.xxx 53 to any in recv dc0
    * *$fwcmd add allow udp from xxx.xxx.xxx.xxx 53 to any in recv dc0

    * *# Allow udp on port 500 for IPSec.
    * *$fwcmd add allow udp from any to xxx.xxx.xxx.xxx 500 out xmit dc0 keep-state
    * *$fwcmd add allow udp from any to xxx.xxx.xxx.xxx 500 out xmit dc0 keep-state
    * *$fwcmd add allow udp from xxx.xxx.xxx.xxx 500 to any in recv dc0 keep-state
    * *$fwcmd add allow udp from xxx.xxx.xxx.xxx 500 to any in recv dc0 keep-state

    * *# Allow outgoing traceroute.
    * *$fwcmd add allow udp from any to any 33434-33523 out via dc0

    * *# Allow ICMP (for ping and traceroute to work).
    * *$fwcmd add allow icmp from any to any icmptypes 8 out via dc0
    * *$fwcmd add allow icmp from any to any icmptypes 0 in via dc0
    * *$fwcmd add allow icmp from any to any icmptypes 3,4,11,12 via dc0

    * *# Deny all the rest.
    * *# Denied by the kernel default.

  10. #10

    Re: Opening firewall for ftp

    That's cool Coral Sea. I really need to make some major changes to my firewall. Do you have a link to a good tutorial on ipfw?

Similar Threads

  1. Opening a zip file
    By Yuvanakannan in forum Windows - General Topics
    Replies: 1
    Last Post: 08-19-2006, 06:19 AM
  2. Opening ports
    By Lunke in forum Linux - Hardware, Networking & Security
    Replies: 9
    Last Post: 06-16-2004, 04:57 PM
  3. error opening /dev/dsp
    By in forum Linux - General Topics
    Replies: 11
    Last Post: 08-07-2003, 09:08 AM
  4. Job opening
    By creedon in forum General Chat
    Replies: 2
    Last Post: 11-15-2002, 03:00 PM
  5. opening tty's
    By Bartman in forum Linux - General Topics
    Replies: 3
    Last Post: 07-20-2002, 05:55 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •