[BlueOnyx:05824] Re: FTP Problems

Jeff Jones jeffrhysjones at mac.com
Sun Nov 14 03:33:43 -05 2010 

Spot on Patrick!

I've sent up a number of posts to this list recently about using the ProFTP module 'mod_sftp' for secure communication with ProFTP. As this module enables ProFTP to talk SSH - only one TCP port is used, and firewalling issues like this go away.

Unfortunately I think many people on the list had a hard time understanding that this module was nothing to do with the existing SHH / OpenSSL service, and assumed that by hooking ProFTP up with mod_sftp you would give users shell & ability to list the entire filesystem, which is totally not the case.

Had BX ProFTP been using mod_sftp in this instance, there would not have been a problem.

FTP is the bane of the firewall admins life, people running more powerful firewalls like PFSense, Monowall will know this. Actually I seem to remembr they built an FTP proxy service into PF Sense in order to try get round these issues, but this can create new issues.

Oh well!!!

Jeff

Sent from my iPhone

On 14 Nov 2010, at 07:24, Patrick Koehne <patrick at koehne-net.de> wrote:

> Hi,
> 
> This is quite ok and exactly the problem with FTP since
> connection-orientated firewalls:
> FTP ist a bidirectional protocol. Most other protocols start a connection
> and everything is transmitted within the session initiated from the client.
> Therefore the FW can track that connection very easy and one just need the
> outbound rule in a FW configuration. But FTP also builds up a second
> connection back from the server to the client. This is therefore not within
> the first connection from the client to the server. So, some firewalls can
> handle that because they inspect the outgoing packets: within the packets
> the expected ports are declared so it is possible to build an incoming rule
> automaticly for the time of the connection. Some firewalls can't do that and
> therefore you need the incoming rule, too.
> 
> Visualized it looks like that:
> 
> http://de.wikipedia.org/w/index.php?title=Datei:AktivesFTP.png&filetimestamp
> =20070118150326
> 
> http://slacksite.com/other/ftp.html
> 
> Regards,
> Patrick
> 
> 
>> -----Ursprüngliche Nachricht-----
>> Von: blueonyx-bounces at blueonyx.it 
>> [mailto:blueonyx-bounces at blueonyx.it] Im Auftrag von Andy
>> Gesendet: Samstag, 13. November 2010 22:46
>> An: 'BlueOnyx General Mailing List'
>> Betreff: [BlueOnyx:05819] Re: FTP Problems
>> 
>> Problem is fixed. Yes I thought that FTP was port 21 but for 
>> some reason it needed an explicit rule on my firewall for 
>> inbound and outbound port 20 as well.
>> 
>> It took some hunting for information on my firewall 
>> (m0n0wall) to fix it.
>> 
>> Andy
>> 
> 
> 
> 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list