Re: ftp through firewall
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

Re: ftp through firewall

From: Casey <casey@notspecified.net>
Date: Mon May 30 2005 - 00:14:22 CEST



In article <Pp5eigBtwZmCFwQl@clara.net>, piconote@onetel.com says...


> In message <MPG.1d0298bd1a78200b989847@news.east.earthlink.net>, Casey 


> <Casey@notspecified.net> writes


> 


> <snip>


> 


> >Setting up a firewall for FTP connections is a little awkward.


> >I am not familiar with IPCop but this is how I have my Sygate setup.


> >


> >Advanced rules


> >1.  Allow Filzilla outgoing TCP connection to remote port 21


> >    from local ports 1025-3000.


> >2.  Allow Filzilla incoming TCP connection from remote port 20


> >    to local ports 1025-3000.


> >(note: rules 1 and 2 will accomodate active ftp. They are enabled


> >all the time.)


> >3.  Allow Filezilla outgoing TCP connection to remote ports


> >    1025-65535 from local ports 1025-3000.


> >(Note: rule 3 will accomodate passive ftp--which I seldom use.


> >Rule 3 is normally disabled.  If I cannot make an FTP download,


> >then I temporarily enable rule 3 for the download. After the


> >download, I disable rule 3)


> >You might find this helpful:


> >Active FTP vs Passive FTP


> >http://slacksite.com/other/ftp.html


> >Casey


> 


> Thanks Casey


> 


> I followed your first two rules to the letter and ftp transfers worked.


> 


> I had experimented earlier with a similar arrangement but using just 


> ports 5050 and 5051 rather than 1025-3000.   My arrangement did not 


> work.


> 


> Since your arrangement does work, I then tried some experiments and my 


> conclusion is that 25 ports is the minimum that will work on my system, 


> and the 25 ports can apparently be almost anywhere.   Thus I find that 


> 1025-1050 works and so does 2025-2050.


> 


> I also find that 1025-1049 does not work.


> 


> What puzzles me is why it is necessary to have more than just one port, 


> since the protocol seems to be met by just one.


> 


> Anyhow I now have a working system and, having spent many hours trying 


> unsuccessfully in the past, I am very grateful to you.


> 


> Thanks also Duane.   I think that I had not made it clear that I was 


> concerned only with an ftp client and not with an ftp server.


> 


> Regards


> 


> Brian


> 


Your welcome Brian.  You bring up an interesting question


about the Local Ports numbers that need to remain Unblocked.


Based on my Sygate traffic log, it appears that the Win98


Local Ports start at 1025 but I have never known how much higher 


the requirement goes.  I knew I had the block set too wide. 


It probably depend on how much browsing you do between computer 


shutdowns.  I'll look into that too and see how narrow I can make


that block of port number.  This will go along with my thinking 


about firewall setup--Block Everything You Do Not Use. <G>


Casey


Received on Thu Sep 29 19:53:16 2005