ftp server behind firewall

Kurt Wall kwall
Mon May 17 11:49:08 PDT 2004 

Quoth Joel Hammer:
> I want to be able to ftp to a linux box behind a firewall linux box from
> the outside. I need to configure the ftp server and the firewall.
> 
> I assume, since the "outside" client is also behind a firewall, I may be
> using passive mode for the transfer. I am using ipchains and ipmasqadm. I
> am running an ftp server on the firewall linux box, too. This ftp server
> on the firewall box is using ports 20 and 21.
> 
> In the active transfer mode, it seems straightforward to have the
> outside client ftp to a special command port, say port 27 instead of
> 21. I can set up the firewall linux box to send all requests on port 27
> to my ftp server behind the firewall to the usual command port.  But,
> here is where where I need help. How do I tell the client what the data
> port is on the server? Does the ftp server send the data port back as a
> data packet, or does the ftp client assume the data port number is the
> port on the server making the connection to the client's data port? Could
> ipmasqadm simply switch outgoing port numbers?

I would think which ports to use are part of the protocol negotiation.

> The second question is for passive mode. Here, the ftp server sends back the
> temporary port to use for data transfers. There is supposed to be a way to
> restrict which ports are sent back by the server. However, the method
> suggested is changing an include file and, I suppose, recompiling the ftp
> daemon. Is there a configuration file which would do this?
> Could I just edit the binary file, assuming I could find the current port
> ranges in the binary file? Sounds hard, since it will be numbers, not
> strings. 

This depends on the underlying FTP server. ProFTPd uses

	PassivePorts min-port-num max-port-num

to specify a range of ports to be sued for ftp-data.

WU-FTPd uses

	passive ports <cidr> <min> <max>

IP addresses matching <cidr> use <min> <= port <= <max>. See also
the pasv-allow directive for WU-FTPd.

Kurt
-- 
The greatest dangers to liberty lurk in insidious encroachment by men
of zeal, well-meaning but without understanding.
		-- Justice Louis D. Brandeis

More information about the Linux-users mailing list