Re: ProFTPd behind firewall
On Friday 22 August 2003 21:46, Martin Wheeler wrote:
> Just caught the end of this ... may be applicable to a problem I'm
> experiencing myself. (Not ProFTP, but gFTP.)
>
> As far as I know, one of my firewalls is the Mandrake SNF (Simple Network
> Firewall ?), running under 2.2.19. (I'm fairly sure this is what it is.)
That'll be ipchains-based then, and not capable of any true statefulness (SYN
tracking doesn't really count :)
> One of my service providers is also behind a firewall, and insists on
> passive mode being turned off for any communication/transfers with them.
Well, that service provider has no clue about modern stateful firewalling, and
consequently doesn't permit incoming connections on high ports, hence the
requirement for active mode FTP...
> Of course gFTP (with passive mode turned off), just hangs if any attempt is
> made to transfer anything.
> Anyone know how I can reliably open up this channel in PORT mode without
> compromising anything anywhere?
You need to upgrade to a 2.4 kernel and use iptables rather than ipchains....
or configure your FTP client to specifically use a small range of ports, and
allow those ports directly to your machine. Not secure, but not exactly a
giant RPC exploit either ;)
gdh
Reply to: