Re: ftp through firewall

In message <MPG.1d0298bd1a78200b989847@news.east.earthlink.net>, Casey
<Casey@notspecified.net> writes

<snip>

>Setting up a firewall for FTP connections is a little awkward.
>I am not familiar with IPCop but this is how I have my Sygate setup.
>
>Advanced rules
>1. Allow Filzilla outgoing TCP connection to remote port 21
> from local ports 1025-3000.
>2. Allow Filzilla incoming TCP connection from remote port 20
> to local ports 1025-3000.
>(note: rules 1 and 2 will accomodate active ftp. They are enabled
>all the time.)
>3. Allow Filezilla outgoing TCP connection to remote ports
> 1025-65535 from local ports 1025-3000.
>(Note: rule 3 will accomodate passive ftp--which I seldom use.
>Rule 3 is normally disabled. If I cannot make an FTP download,
>then I temporarily enable rule 3 for the download. After the
>download, I disable rule 3)
>You might find this helpful:
>Active FTP vs Passive FTP
>http://slacksite.com/other/ftp.html
>Casey

Thanks Casey

I followed your first two rules to the letter and ftp transfers worked.

I had experimented earlier with a similar arrangement but using just
ports 5050 and 5051 rather than 1025-3000. My arrangement did not
work.

Since your arrangement does work, I then tried some experiments and my
conclusion is that 25 ports is the minimum that will work on my system,
and the 25 ports can apparently be almost anywhere. Thus I find that
1025-1050 works and so does 2025-2050.

I also find that 1025-1049 does not work.

What puzzles me is why it is necessary to have more than just one port,
since the protocol seems to be met by just one.

Anyhow I now have a working system and, having spent many hours trying
unsuccessfully in the past, I am very grateful to you.

Thanks also Duane. I think that I had not made it clear that I was
concerned only with an ftp client and not with an ftp server.

Regards

Brian
Received on Thu Sep 29 19:53:13 2005