[lug] FTP question.

Brock, Kelly KBrock at maxis.com
Thu Aug 9 15:43:03 MDT 2001 

Hi All,

	Dan is fairly close but it doesn't matter anymore.  Turns out that
Maxis changed the firewall here and *that* is what is screwing up the ftp
service, not my home setup.  Oh well, guess I'll just keep using the work
around that I found.  As to the speeds, it's pretty fast now but by trading
out the ip block for a single ip I can upgrade further.  That was one of the
two reasons to get the hub/firewall in the first place, other than the fact
that if I ever want to work from home Maxis requires that I have a firewall.
:/

	Regards,

	Kelly Brock
	The Sims Online
	Maxis - Electronic Arts
 

> -----Original Message-----
> From: lug-admin at lug.boulder.co.us 
> [mailto:lug-admin at lug.boulder.co.us]On
> Behalf Of D. Stimits
> Sent: Thursday, August 09, 2001 2:09 PM
> To: lug at lug.boulder.co.us
> Subject: Re: [lug] FTP question.
> 
> 
> John Hernandez wrote:
> > 
> > I don't fully understand what Kelly needs to accomplish.  
> What might be helpful is some sort of ASCII topology diagram, 
> showing where the server and clients are.  Is there NAT 
> involved?  By "setup the port mappings so that the passive 
> connection port for the FTP server is properly retargetted" 
> do you mean configure port forwarding in some fashion?  I'm 
> sure we can come up with something if you provide more detail.
> > 
> > Unless you have full control over the clients, your ability 
> to limit port ranges will be limited to modifications of the 
> ftpd source code.  Here again, I must be a little confused.
> 
> 
> I'll let him give any details, but basically, he now has a 
> block of ip's
> with low data rates on each. He has the ability to switch to 
> a single ip
> with a much higher throughput for the same price. He also has 
> a hardware
> firewall set up between his internal machines and the real 
> world. Due to
> firewall flexibility and setup, he can do a lot better on security (or
> simplification, I'm not sure which) if he can cause an incoming ftp
> connection, when returning data (this means on ports above 
> 1024, not the
> SYN or negotiation) port is not only higher than 1024, but 
> also if it is
> higher than 12000, or even if it is forced between 12000 and 12010.
> E.G., a typical tcp/ip connection (and ftp qualifies there) 
> will contact
> his machine on a well known port, e.g., telnet goes to 23; then during
> the establishment, an outgoing port (a non-well-known port, 
> e.g., 10003)
> will open for the return route to the orginal connection. Currently, I
> think (not sure) ftp will always use a port above 1024 during 
> the return
> phase. The goal would be to take any outgoing return route 
> port from the
> linux box, e.g., 1234, and proxy it on the linux box itself, 
> to instead
> go out on port 12000 (or any port between 12000 and 12010, 
> depending on
> if it is taken already). His hardware firewall does not block ports
> 12000 through 12010, but on many replies, ftp will choose a 
> port between
> 0 and some other value, like 10000, which are entirely 
> blocked. Proxy to
> a higher port number removes the issue of reconfiguring the hardware
> firewall. Kelly will have to reply if that is the correct description,
> but I interpret it as needing to proxy any ftp return ports from the
> value that ftp chooses, to a value between 12000 and 12010.
> 
> D. Stimits, stimits at idcomm.com
> 
> > 
> > -John
> > 
> > "D. Stimits" wrote:
> > >
> > > "Brock, Kelly" wrote:
> > > >
> > > > Hi All,
> > > >
> > > >         Another question about WU-FTP that has been 
> bugging me.  I have a
> > > > hardware firewall/DHCP/wireless LAN/print server hub 
> box.  While I bought it
> > > > primarilly for the wireless LAN and print server for my 
> laptops the firewall
> > > > is a nice bonus.  The problem though is that I need to 
> setup the port
> > > > mappings so that the passive connection port for the 
> FTP server is properly
> > > > retargetted to my linux machines.  I know this is a 
> solvable problem, I just
> > > > can't seem to get it working correctly.
> > > >
> > > >         What I really want is to limit the port range 
> of the passive
> > > > connections to something like 12000-12010 so that I can 
> open those on the
> > > > firewall and map them to the appropriate machine.
> > > >
> > > >         Regards,
> > > >
> > > >         KB
> > > > _______________________________________________
> > > > Web Page:  http://lug.boulder.co.us
> > > > Mailing List: 
http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> > Surely someone on the list must know how to proxy the ftp to do this? I
> > don't, I rarely deal with proxy, but it seems like there should be a way
> > when an incoming request to ports 20/21 result in an outbound higher
> > port number to go to the requesting machine, that it could be told to
> > proxy that outbound port to a higher number? Proxy of some sort seems to
> > be the key.
> >
> > D. Stimits, stimits at idcomm.com
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> --
> 
>   - John Hernandez - Network Engineer - 303-497-6392 -
>  |  National Oceanic and Atmospheric Administration   |
>  |  Mailstop R/OM12. 325 Broadway, Boulder, CO 80305  |
>   ----------------------------------------------------
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
_______________________________________________
Web Page:  http://lug.boulder.co.us
Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list