--- Gerald Combs wrote:
Justin Dugger wrote:
Actually, you probably need a ftp tracking module
installed into the
kernel; ftp has two ports, the command and data
port. The command port
is 21, which does things like initiate transfers
...
FTP uses port 21 for commands, such as LIST, PWD, DIR, CD, etc. as you stated above. It uses a separate socket and separate ports for data transfers (such as directory listings and files). Data transfers are either "active" or "passive." For active connections, the server initiates a connection _from_ port 20 to a randomly selected port on the client. For passive connections, the client initiates a connection to a randomly selected port on the server. You shouldn't have to unblock port 20 no matter what, since there isn't going to be traffic coming into that port in either case.
Firewalls can trip up two things:
- They can block active data connections to clients
(which is why most FTP client software uses passive connections nowadays).
- If a data connection takes a long time, they can
time out the associated command connection (which sits idle).
To get around these issues firewalls typically use stateful inspection or proxying.
Correct me if I'm wrong, but the simple firewall rules posted earlier would effectively break ftp. Wouldn't the unpriviledged ports also be blocked? Wouldn't you need to specifically allow the unpriviledged ports for either active or passive ftp? Wouldn't you need to allow outbound ports also? I don't remember all the rules posted, but I would think that the default rule would be to drop inbound and outbound unused ports.
Brian D.
__________________________________ Do you Yahoo!? Make Yahoo! your home page http://www.yahoo.com/r/hs
Jack wrote:
Correct me if I'm wrong, but the simple firewall rules posted earlier would effectively break ftp. Wouldn't the unpriviledged ports also be blocked? Wouldn't you need to specifically allow the unpriviledged ports for either active or passive ftp? Wouldn't you need to allow outbound ports also? I don't remember all the rules posted, but I would think that the default rule would be to drop inbound and outbound unused ports.
AFAIK, the firewall rules that Chris posted premit all outbound traffic. Assuming that you're firewalling the client and not the server, this would allow passive FTP connections since they originate from the client. To allow active connections in from the server to the client you'd have to enable some sort of connection traffic.
Correct me if I'm wrong, but the simple firewall rules posted earlier would effectively break ftp. Wouldn't the unpriviledged ports also be blocked? Wouldn't you need to specifically allow the unpriviledged ports for either active or passive ftp? Wouldn't you need to allow outbound ports also? I don't remember all the rules posted, but I would think that the default rule would be to drop inbound and outbound unused ports.
Brian D.
The default policy for the Output chain is usually ACCEPT, so there is no need to open outbound ports specifically. The ACCEPT statement on the ESTABLISHED,RELATED line will allow connections to the unprivileged ports since they are related to the connection on port 21. I believe ip_conntrack_ftp helps with this.
Brad
-
Brad -
Gerald Combs -
Jack