Re: ProFTPd behind firewall

To: debian-isp@lists.debian.org
Subject: Re: ProFTPd behind firewall
From: Gavin Hamill <gdh@acentral.co.uk>
Date: Fri, 22 Aug 2003 22:28:45 +0100
Message-id: <[🔎] 200308222228.45005.gdh@acentral.co.uk>
In-reply-to: <[🔎] Pine.LNX.4.33.0308222038400.2355-100000@caxton.startext.demon.co.uk>
References: <[🔎] Pine.LNX.4.33.0308222038400.2355-100000@caxton.startext.demon.co.uk>

On Friday 22 August 2003 21:46, Martin Wheeler wrote:
> Just caught the end of this ... may be applicable to a problem I'm
> experiencing myself.  (Not ProFTP, but gFTP.)
>
> As far as I know, one of my firewalls is the Mandrake SNF (Simple Network
> Firewall ?), running under 2.2.19.  (I'm fairly sure this is what it is.)

That'll be ipchains-based then, and not capable of any true statefulness (SYN 
tracking doesn't really count :) 

> One of my service providers is also behind a firewall, and insists on
> passive mode being turned off for any communication/transfers with them.

Well, that service provider has no clue about modern stateful firewalling, and 
consequently doesn't permit incoming connections on high ports, hence the 
requirement for active mode FTP...

> Of course gFTP (with passive mode turned off), just hangs if any attempt is
> made to transfer anything.
> Anyone know how I can reliably open up this channel in PORT mode without
> compromising anything anywhere?

You need to upgrade to a 2.4 kernel and use iptables rather than ipchains.... 
or configure your FTP client to specifically use a small range of ports, and 
allow those ports directly to your machine. Not secure, but not exactly a 
giant RPC exploit either ;)

gdh

Reply to:

References:
- Re: ProFTPd behind firewall
  - From: Martin Wheeler <msw@startext.demon.co.uk>

Prev by Date: Re: ProFTPd behind firewall
Next by Date: Jesus Help Me !
Previous by thread: Re: ProFTPd behind firewall
Next by thread: mysql problem
Index(es):
- Date
- Thread