Menu
▾
▴
Re: [IPCop-user] IPCop with Pure-FTPd
|
From: <Use...@zo...> - 2003-12-31 17:39:12
|
cm...@me...(Chris Meller) 31.12.03 09:27 Once upon a time "Chris Meller " shaped the electrons to say... >> ip_nat_ftp 3840 0 (unused) >> >> First off, why is this unused? >> Second off, is this the thing I am looking for? >I'd just stick with straight port forwards. Besides, I don't know if >that module is for FTP servers or simply downloading from other FTP >servers. AThe last. >You said you wanted to get rid of the passive range... so do it. Force >users to use active mode. The problems are the firewalls on the other side, which often denies active FTP but haveno problem with passive mode. To get rid of the ftp problems: Don't use ftp. Allow only sftp or http. >That should limit you to only one FTP port >open (21 or your equivalent of it). You need always a second port too. As always: (To the OP) First try if "telnet server ftp-controlport" work Do u get a prompt? If not: what error message? can you login usigns "USER" amd "PASS" ? Then can you open a data connection using an ls commaond? (Here ends the capabilty of telnet and you need a second telnet to the said port or netcat to simulate the requested server.) Too it might be helful to see: A telnet from the firewall console to the ftp server works maybe a dump of an ftp-connect using "ftp -d" is usefull too. Maybe activating logging of all dropped packet gives mir useful information? Too it might be usefull to read http://www.pureftpd.org/FAQ * Firewalling -> My FTP server is behind a firewall. What ports should I open? ACTIVEFTP: First, you have to open port 21 TO the FTP server. You also have to allow connections FROM (not to) ports <= 20 (of the FTP server) to everywhere. That's enough to handle the "active" mode. PASSIVEFTP: But that's not enough to handle all types of clients. Most clients will use another mode to transmit data called 'passive' mode. It's a bit more secure than 'active' mode, but you need to open more ports on your firewall to have it work. So, open some ports TO the FTP server. These ports should be > 1023. It's recommended to use at least twice the max number of clients you are expecting. So, if you accept 200 concurrent sessions, opening ports 50000 to 50400 is ok. Then, run pure-ftpd with the '-p' switch followed by the range configured in your firewall. Example: /usr/local/sbin/pure-ftpd -p 50000:50400 & Unlike some popular belief, the MORE opened ports you have for passive FTP, the MORE your FTP server will be secure, because the LESS you are vulnerable to data hijacking. NAT: If your firewall also does network translation (NAT), you have to enable port forwarding for all passive ports. CLIENT: On the client side, if a client if behind a firewall, that firewall must understand the FTP protocol. On Linux firewalls (iptables), just load the ip_conntrack_ftp and ip_nat_ftp modules. On OpenBSD, ISOS and EkkoBSD firewalls (PF), redirect all traffic to port 21, to ftp-proxy. ---------------------------- see the nice (firewall realated) explanation on http://slacksite.com/other/ftp.html .... The main problem with active mode FTP actually falls on the client side. The FTP client doesn't make the actual connection to the data port of the server--it simply tells the server what port it is listening on and the server connects back to the specified port on the client. From the client side firewall this appears to be an outside system initiating a connection to an internal client--something that is usually blocked. -----Original Message----- : mat...@ve... (Matt Hannan) Has anyone successfully set up IPCop and Pure-FTPd so that the FTP server does not have to be running in passive mode while IPCop is NATing? Here is a quote from the Pure-FTPd install doc so you can see what I mean: - '-N' '--natmode': NAT mode. Force ACTIVE mode. If your FTP server is behind a NAT box that doesn't support applicative FTP proxying, or if you use port redirection without a transparent FTP proxy, use this. Well... the previous sentence isn't very clear. Okay: if your network looks like this: (FTP server)-------(NAT/masquerading gateway/router)------(Internet) and if you want people coming from the internet to have access to your FTP server, please try without this option first. If Netscape clients can connect without any problem, your NAT gateway rulez. If Netscape doesn't display directory listings, your NAT gateway sucks. Use '-N' as a workaround. What the heck is "applicative FTP proxying"? Anyone? Anyone? Bueller? I would LOVE to close the passive port range on the IPCop. Also, I am not running FTP across port 21...;-) Thanks, Matt |