RE: Strange portrequest while trying to open FTP sessions
Thanks for your help Michael!
Looks like I'm going to install ftp-fw, you said that this one
was included in the TIS firewall toolkit, I've already download
TIS once but never installed it - does TIS contains any other "good"
tools for firewall purpose, or may I ask it this way:
Should I install TIS?
Regards,
Michael
-----Ursprungligt meddelande-----
Från: Michael Wood [mailto:wood@kingsley.co.za]
Skickat: den 13 januari 2000 08:28
Till: Michael Abrahamsson; 'debian-firewall@lists.debian.org'
Ämne: Re: Strange portrequest while trying to open FTP sessions
Hi
On Wed, Jan 12, 2000 at 06:06:25PM +0100, Michael Abrahamsson wrote:
[snip]
> I've just opened some ports from/to the internal net (among
> those are 21/ftp) but when I'm on a webpage and click a ftp
> link like this one:
> ftp://ftp.pc.ibm.com/pub/pccbbs/pc_servers/m525w32e.txt
> nothing happens and it do time out.
> When I check the kernel log I can see that the workstation
> tried to connect to 204.146.167.81:18235 <-- Why the hell port
> 18235 (the port are differnt from time to time..)
This is because of the way FTP works. (See below.)
> It works with ftp://ftp.sunet.se etc but shouldn't ftp://
> always connect to the same port and is there a solution?
FTP does not use just one connection for commands and data like
HTTP does. With HTTP, the client connects to a port (normally
80) and sends a command (like GET / HTTP/1.0) and then gets the
results back in the same connection. With FTP, it sends
commands on one connection, and then opens another connection to
download/upload the files etc.
There are two ways of opening the second connection. One is
called active mode and the other is called passive mode. With
active mode, the client listens on a port and then tells the
server what port it is listening on. The server then connects
back to the client on the port that the client specified
(normally from port 20.) With passive mode, the client tells
the server it wants to use passive mode (by using the PASV
command.) The server then listens on another port and tells the
client the port number. The client makes another connection to
the server on the specified port (not on port 21) and starts
sending or receiving the file list/file etc.
As far as I know, Internet Explorer and maybe Netscape use
passive mode by default and most ftp clients like the command
line clients and WS-FTP, CuteFTP etc. use active mode by
default, but you can normally specify passive mode if you want
to.
Because of this, FTP is difficult to account for on a firewall.
What you might want to look into is using an FTP proxy instead
of just passing through traffic. The SuSE proxy suite has a
nice looking FTP proxy that seems to work well. It is similar
to the ftp-gw from the TIS firewall toolkit, except that it
seems to be intended more for allowing clients on the Internet
to connect to an internal FTP server, whereas the ftp-gw is for
allowing internal users to connect to external FTP sites.
With the SuSE ftp proxy (it works on other distributions, it was
just developed by SuSE.) you run it on the firewall, and when
someone connects to the firewall's FTP port, the proxy server
makes a connection to the internal FTP server and relays stuff
between the client and the real server. This should give you
exactly what you want, without relying on IP_MASQ modules etc.,
which might have to guess timeouts for the connections and cause
connections to be lost when downloading large files etc.
hmmm... I've just re-read your message, and now it looks as if
you want to allow internal users to access external FTP sites.
If you want to do this, you can install a web proxy server (like
Squid, but not necessarily Squid) and set your browser up to use
it for FTP. This would allow you to download, but not upload
files.
To be able to download/upload files with a normal FTP client
(i.e. not a web browser) you could use an FTP proxy, like the
TIS fwtk ftp-gw or the SuSE ftp proxy.
If you still want to do it with just opening ports, you will
need to allow connections from your internal network on any high
port to the internet on port 21. (It seems from your message
that you have done this already.) You will also have to allow
connections from the internal network on any high port to the
internet on any port (the server specifies the port. You have
no way of knowing what it is going to be.) You will then need
to make sure your FTP clients all use Passive mode. (From your
message above, it seems your browser is using Passive mode.)
I hope this helps. :)
--
Michael Wood | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies
Reply to: