* passive mode ftp
@ 2003-05-23 8:56 Eric Constantineau
2003-05-23 9:12 ` Cedric Blancher
2003-05-23 10:04 ` Ray Leach
0 siblings, 2 replies; 5+ messages in thread
From: Eric Constantineau @ 2003-05-23 8:56 UTC (permalink / raw)
To: netfilter@lists.netfilter.org
Hi !
I want to be able to use passive ftp under my firewall...
Right now passive mode does not function because I allow only packets
WITH port 21 as a destination OR source. When in normal mode, packets
from the ftp server have 21 for the source port and the packets from the
client have 21 for the destination port so it works. But, entering
passive mode, the destination and source ports are not 21, so my
firewall blocks.
Using a ftp client such as leechftp, cuteftp, wsftp is okay, but using
the browser (iexplore) does not because it use passive mode.
I don't want to open too much my ports, it would mean that someone could
use those ports to get access to inside networks... But I want to be
able to use passive mode, some users do not want to use ftp client
software, or are not even able to install them...
Is there a specific range of ports that all passive ftp use ?
Thanks for helping me
Eric
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: passive mode ftp
2003-05-23 8:56 passive mode ftp Eric Constantineau
@ 2003-05-23 9:12 ` Cedric Blancher
2003-05-23 10:04 ` Ray Leach
1 sibling, 0 replies; 5+ messages in thread
From: Cedric Blancher @ 2003-05-23 9:12 UTC (permalink / raw)
To: Eric Constantineau; +Cc: netfilter@lists.netfilter.org
Le ven 23/05/2003 à 10:56, Eric Constantineau a écrit :
> I want to be able to use passive ftp under my firewall...
Use Netfilter conntrack functionnalities :
# modprobe ip_conntrack_ftp
[...]
> Is there a specific range of ports that all passive ftp use ?
Using FTP conntrack helper, you can spot data connections with RELATED
state. A setup setup could be :
iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
-j ACCEPT
iptables -A FORWARD -m state --state NEW -p tcp -s $LAN \
--dport 21 -o $EXTIF -j ACCEPT
Once a FTP connection is up, further packets are handled by ESTABLISHED
state rule, and connection data initiating is handled by RELATED state.
If you're using NAT, then you will need to modprobe ip_nat_ftp module.
--
Cédric Blancher <blancher@cartel-securite.fr>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: passive mode ftp
2003-05-23 8:56 passive mode ftp Eric Constantineau
2003-05-23 9:12 ` Cedric Blancher
@ 2003-05-23 10:04 ` Ray Leach
2003-05-23 12:12 ` Patrick Ahler
1 sibling, 1 reply; 5+ messages in thread
From: Ray Leach @ 2003-05-23 10:04 UTC (permalink / raw)
To: Netfilter Mailing List
[-- Attachment #1: Type: text/plain, Size: 1336 bytes --]
On Fri, 2003-05-23 at 10:56, Eric Constantineau wrote:
> Hi !
>
> I want to be able to use passive ftp under my firewall...
>
> Right now passive mode does not function because I allow only packets
> WITH port 21 as a destination OR source. When in normal mode, packets
> from the ftp server have 21 for the source port and the packets from the
> client have 21 for the destination port so it works. But, entering
> passive mode, the destination and source ports are not 21, so my
> firewall blocks.
>
> Using a ftp client such as leechftp, cuteftp, wsftp is okay, but using
> the browser (iexplore) does not because it use passive mode.
>
> I don't want to open too much my ports, it would mean that someone could
> use those ports to get access to inside networks... But I want to be
> able to use passive mode, some users do not want to use ftp client
> software, or are not even able to install them...
>
> Is there a specific range of ports that all passive ftp use ?
No, passive mode uses random ports from 1024 upwards.
You could use a web proxy like squid. You can force squid to always use
active mode.
Alternatively, you could use the state inspection of iptables and the
ftp connection tracking module to configure passive ftp.
>
> Thanks for helping me
>
> Eric
>
>
>
>
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: passive mode ftp
2003-05-23 10:04 ` Ray Leach
@ 2003-05-23 12:12 ` Patrick Ahler
0 siblings, 0 replies; 5+ messages in thread
From: Patrick Ahler @ 2003-05-23 12:12 UTC (permalink / raw)
To: Ray Leach, Netfilter Mailing List
http://slacksite.com/other/ftp.html
Read the article above... about active vs. passive ftp.
Also, most ftp servers allow you to specify which ports to use for passive
ftp, that way you would only have to open those.
-Patrick
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Ray Leach
Sent: Friday, May 23, 2003 6:05 AM
To: Netfilter Mailing List
Subject: Re: passive mode ftp
On Fri, 2003-05-23 at 10:56, Eric Constantineau wrote:
> Hi !
>
> I want to be able to use passive ftp under my firewall...
>
> Right now passive mode does not function because I allow only packets
> WITH port 21 as a destination OR source. When in normal mode, packets
> from the ftp server have 21 for the source port and the packets from the
> client have 21 for the destination port so it works. But, entering
> passive mode, the destination and source ports are not 21, so my
> firewall blocks.
>
> Using a ftp client such as leechftp, cuteftp, wsftp is okay, but using
> the browser (iexplore) does not because it use passive mode.
>
> I don't want to open too much my ports, it would mean that someone could
> use those ports to get access to inside networks... But I want to be
> able to use passive mode, some users do not want to use ftp client
> software, or are not even able to install them...
>
> Is there a specific range of ports that all passive ftp use ?
No, passive mode uses random ports from 1024 upwards.
You could use a web proxy like squid. You can force squid to always use
active mode.
Alternatively, you could use the state inspection of iptables and the
ftp connection tracking module to configure passive ftp.
>
> Thanks for helping me
>
> Eric
>
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: passive mode ftp
@ 2003-05-23 9:21 George Vieira
0 siblings, 0 replies; 5+ messages in thread
From: George Vieira @ 2003-05-23 9:21 UTC (permalink / raw)
To: Eric Constantineau, netfilter
You must load
insmod ip_conntrack_ftp
otherwise it won't work without it.. you must also add a rule similar to this..
iptables -A INPUT -p tcp --m state RELATED -j ACCEPT
You must use RELATED as the connection is related to an existing ftp session on port 21. ip_conntrack_ftp knows the connection and port you negotiated with the ftp server and allows it..
hope that helps.. there's so many scripts out there which shows this info.
-----Original Message-----
From: Eric Constantineau [mailto:mekanik@nerim.net]
Sent: Fri 23-May-03 6:56 PM
To: netfilter@lists.netfilter.org
Cc:
Subject: passive mode ftp
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2003-05-23 12:12 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-05-23 8:56 passive mode ftp Eric Constantineau
2003-05-23 9:12 ` Cedric Blancher
2003-05-23 10:04 ` Ray Leach
2003-05-23 12:12 ` Patrick Ahler
-- strict thread matches above, loose matches on Subject: below --
2003-05-23 9:21 George Vieira
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.