[lug] FTP question.

D. Stimits stimits at idcomm.com
Thu Aug 9 15:09:09 MDT 2001 

John Hernandez wrote:
> 
> I don't fully understand what Kelly needs to accomplish.  What might be helpful is some sort of ASCII topology diagram, showing where the server and clients are.  Is there NAT involved?  By "setup the port mappings so that the passive connection port for the FTP server is properly retargetted" do you mean configure port forwarding in some fashion?  I'm sure we can come up with something if you provide more detail.
> 
> Unless you have full control over the clients, your ability to limit port ranges will be limited to modifications of the ftpd source code.  Here again, I must be a little confused.


I'll let him give any details, but basically, he now has a block of ip's
with low data rates on each. He has the ability to switch to a single ip
with a much higher throughput for the same price. He also has a hardware
firewall set up between his internal machines and the real world. Due to
firewall flexibility and setup, he can do a lot better on security (or
simplification, I'm not sure which) if he can cause an incoming ftp
connection, when returning data (this means on ports above 1024, not the
SYN or negotiation) port is not only higher than 1024, but also if it is
higher than 12000, or even if it is forced between 12000 and 12010.
E.G., a typical tcp/ip connection (and ftp qualifies there) will contact
his machine on a well known port, e.g., telnet goes to 23; then during
the establishment, an outgoing port (a non-well-known port, e.g., 10003)
will open for the return route to the orginal connection. Currently, I
think (not sure) ftp will always use a port above 1024 during the return
phase. The goal would be to take any outgoing return route port from the
linux box, e.g., 1234, and proxy it on the linux box itself, to instead
go out on port 12000 (or any port between 12000 and 12010, depending on
if it is taken already). His hardware firewall does not block ports
12000 through 12010, but on many replies, ftp will choose a port between
0 and some other value, like 10000, which are entirely blocked. Proxy to
a higher port number removes the issue of reconfiguring the hardware
firewall. Kelly will have to reply if that is the correct description,
but I interpret it as needing to proxy any ftp return ports from the
value that ftp chooses, to a value between 12000 and 12010.

D. Stimits, stimits at idcomm.com

> 
> -John
> 
> "D. Stimits" wrote:
> >
> > "Brock, Kelly" wrote:
> > >
> > > Hi All,
> > >
> > >         Another question about WU-FTP that has been bugging me.  I have a
> > > hardware firewall/DHCP/wireless LAN/print server hub box.  While I bought it
> > > primarilly for the wireless LAN and print server for my laptops the firewall
> > > is a nice bonus.  The problem though is that I need to setup the port
> > > mappings so that the passive connection port for the FTP server is properly
> > > retargetted to my linux machines.  I know this is a solvable problem, I just
> > > can't seem to get it working correctly.
> > >
> > >         What I really want is to limit the port range of the passive
> > > connections to something like 12000-12010 so that I can open those on the
> > > firewall and map them to the appropriate machine.
> > >
> > >         Regards,
> > >
> > >         KB
> > > _______________________________________________
> > > Web Page:  http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> > Surely someone on the list must know how to proxy the ftp to do this? I
> > don't, I rarely deal with proxy, but it seems like there should be a way
> > when an incoming request to ports 20/21 result in an outbound higher
> > port number to go to the requesting machine, that it could be told to
> > proxy that outbound port to a higher number? Proxy of some sort seems to
> > be the key.
> >
> > D. Stimits, stimits at idcomm.com
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> --
> 
>   - John Hernandez - Network Engineer - 303-497-6392 -
>  |  National Oceanic and Atmospheric Administration   |
>  |  Mailstop R/OM12. 325 Broadway, Boulder, CO 80305  |
>   ----------------------------------------------------
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list