Re: RRAS and Passive FTP.
From: Enkidu (enkidu_at_xyzcliffpxyz.com)
Date: 06/12/04
- Next message: Alan Illeman: "Re: PROBLEM"
- Previous message: Charlie: "Re: Service Pack 2 Update ???"
- In reply to: Jim.J: "Re: RRAS and Passive FTP."
- Next in thread: Jim.J: "Re: RRAS and Passive FTP."
- Reply: Jim.J: "Re: RRAS and Passive FTP."
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 12 Jun 2004 12:44:08 +1200
It's incoming ports that have to be opened. The basic firewall setup
is for *all* outgoing ports to be open and no incoming ports open. You
then open any required incoming ports for webservers behind the
firewall or whatever and close others that you don't want to go out..
If you have an ftp client outside trying to get in to your ftp server,
it first makes a connection on port 21 and in active mode the server
then makes a connection out on port 20 to the ftp client. So to make
active ftp work all that is normally needed is for the firewall to
allow connections on port 21 and if necessary NAT them to the correct
server. The outbound connection is on port 20 and that goes OK unless
outgoing restrictions have been put in place.
If the client is behind a firewall however, it cannot accept incoming
request on port 20. This is why passive ftp was developed. The client
end make the control connection on port21 as before. During the
connection dialog your server says to the client "connect using port
xxxx" for the data connection. The client then attempts to connect to
yourserver on port xxxx for the data connection. For this to work you
need to open port 21 and several high order *incoming* ports. Your
firewall device should be set up to allow 21 + high order ports and
should NAT them to the server.
http://slacksite.com/other/ftp.html
Cheers,
Cliff
On Thu, 10 Jun 2004 12:51:46 +0100, "Jim.J" <sam@mxweaver.com> wrote:
>Thanks for your reply. I do realise that but i cant figure out how to allow
>all ougoing ports on a single IP in RRAS basic firewall / NAT. Any ideas?
>
>"Gerry Voras" <gerry.voras@nextaction.com> wrote in message
>news:urdbTNoTEHA.1284@TK2MSFTNGP10.phx.gbl...
>> That's going to be the price you pay for security. Either allow the ports
>> to be open, or don't use PASV mode.
>>
>> I personally would switch to SSH/SCP/SFTP for file transfers. Much more
>> secure in any case.
>>
>> "JimJ" <JimJ.17lblz@mail.webservertalk.com> wrote in message
>> news:JimJ.17lblz@mail.webservertalk.com...
>> >
>> > Hi all,
>> > I want to use RRAS Basic Firewall /NAT for an extra layer of port
>> > blocking and have configured everything except I cannot work out how to
>> > allow for passive FTP. Passive FTP basically requires that a large
>> > range of outgoing ports is open on the IP used for FTP. However i
>> > cannot find anyway to allow all outgoing or a port range within RRAS.
>> > Does anyone know how to do this?
>> > Thanks in advance for any input.
>> >
>> >
>> >
>> > --
>> > JimJ
>> > ------------------------------------------------------------------------
>> > Posted via http://www.webservertalk.com
>> > ------------------------------------------------------------------------
>> > View this thread: http://www.webservertalk.com/message255886.html
>> >
>>
>>
>
- Next message: Alan Illeman: "Re: PROBLEM"
- Previous message: Charlie: "Re: Service Pack 2 Update ???"
- In reply to: Jim.J: "Re: RRAS and Passive FTP."
- Next in thread: Jim.J: "Re: RRAS and Passive FTP."
- Reply: Jim.J: "Re: RRAS and Passive FTP."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
