Re: ftp through firewall

In article <0YLAOsEnYJmCFwVF@clara.net>, piconote@onetel.com says...
> I am using IPCop to feed a small network.
>
> In its default state IPCop has all incoming ports closed and all
> outgoing ports open.
>
> Following the advice that I see repeatedly in this newsgroup, I close
> all outgoing ports except those required for web access, e-mail, news
> and time, using IPTables. I also isolate one computer on the network
> completely from the internet. This all works very well
>
> I now wish to use an ftp client (FileZilla), and I have opened outgoing
> port 21 for this purpose.
>
> If I use the normal or active ftp mode, then, as I understand the
> matter, the ftp client will, after the command channel from a
> high-numbered local port and port 21 on the remote ftp server has been
> established, notify the remote ftp server of the port to use for
> transferring data. The data is then transferred by the remote ftp
> server from its port 20 to the port specified by the local ftp client.
> Unfortunately, as everyone knows, this link will not function because
Setting up a firewall for FTP connections is a little awkward.
I am not familiar with IPCop but this is how I have my Sygate setup.

Advanced rules
1. Allow Filzilla outgoing TCP connection to remote port 21
    from local ports 1025-3000.
2. Allow Filzilla incoming TCP connection from remote port 20
    to local ports 1025-3000.
(note: rules 1 and 2 will accomodate active ftp. They are enabled
all the time.)
3. Allow Filezilla outgoing TCP connection to remote ports
    1025-65535 from local ports 1025-3000.
(Note: rule 3 will accomodate passive ftp--which I seldom use.
Rule 3 is normally disabled. If I cannot make an FTP download,
then I temporarily enable rule 3 for the download. After the
download, I disable rule 3)
You might find this helpful:
Active FTP vs Passive FTP
http://slacksite.com/other/ftp.html
Casey
Received on Thu Sep 29 19:53:11 2005