[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: allowing passive FTP from the outside



On Sat, 2005-04-02 at 22:33, Justin Zygmont wrote:
> On Sat, 2 Apr 2005, Markku Kolkka wrote:
> 
> > Justin Zygmont kirjoitti viestissään (lähetysaika lauantai, 2.
> > huhtikuuta 2005 12:23):
> >> I know the problem is because a nonexistent iptables rule, i'm
> >> just at a loss as to what the missing rules should look like.
> >> The only thing that is different in this case is that I need
> >> to use port 221 for FTP instead of 21,
> >
> > That's what breaks everything. The FTP control connection must be
> > on server port 21. Using a different port violates RFC 959 and
> > ip_conntrack_ftp doesn't watch any other port for FTP traffic.
> 
> are you sure ftp_conntrack is even needed?  I thought that's usually used 
> just for stateful routing through a server, and not to connect to one from 
> the outside.  Also when I shut iptables down, it works, I can get a ftp 
> listing.
> 
> ______________________________________________________________________
Yes it does. ftp_contrack etc monitors the trafic on port 21 and
dynamically opens the higher no (data) ports that the control on port 21
asks for. Turning off iptables just opens all the ports.

If you are using vsftp, then you can set the ports used by passive ftp
and then open them in iptables, but this is a risk as they can be
abused. This may be possible with other ftp servers.

Rob




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]