|
|
Sponsored Content
Top Forums
UNIX for Dummies Questions & Answers
iptables-ftp
Post 302554958 by DGPickett on Tuesday 13th of September 2011 01:22:20 PM
09-13-2011
When you initially connect to ftp, the client hig port connects to ftp server port 21. If the user want to move a file or do a listing, the client provides a port and the server creates a data connection, connects from server port 20 to client specifed (high) port. This is one of the only places a specified port is used as a tcp client. Maybe the ftp designer was afraid all ports wuld be taken, so he reserved one! 
It does identify the ftp activity to the firewall better than the PASV option, where a data connection is from client high port to server specified high port. So for not PASV, you need a rule that says connections from tcp port 20 or to 21 on the ftp server side are both OK.
PASV was nicer for clients inside a firewall, where all connections originate in the client and the firewall does not need ot support internal listeners, which might be hacker entry services. You need a global high port inside connect ot high port outside permission. This also allows internal clients to hit outside high port http urls, like: "http://some-not-root-http-server-host:some_high_port/"
It does identify the ftp activity to the firewall better than the PASV option, where a data connection is from client high port to server specified high port. So for not PASV, you need a rule that says connections from tcp port 20 or to 21 on the ftp server side are both OK.PASV was nicer for clients inside a firewall, where all connections originate in the client and the firewall does not need ot support internal listeners, which might be hacker entry services. You need a global high port inside connect ot high port outside permission. This also allows internal clients to hit outside high port http urls, like: "http://some-not-root-http-server-host:some_high_port/"
This User Gave Thanks to DGPickett For This Post:
|
|
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
I have allready opened a thread about this, but my question was really weird formed, so I'm writting it here again:
I have a Network with 4 FTP Servers, then a firewall, and then a Network with clients. The clients should have access to the FTP Servers, but it should not be possible to connect... (2 Replies)
Discussion started by: sTorm
2 Replies
2. Cybersecurity
I have 2 LAN's, seperated by a firewall, running iptables on it.
I want only allow ftp access from one to the other LAN.
Server 1 in LAN 1 should have ftp access to Server 2 in LAN 2
Server 2 in LAN 2 should not have ftp access to Server 1 in LAN 1.
Can someone tell me how to set up the... (5 Replies)
Discussion started by: sTorm
5 Replies
3. IP Networking
Greetings to all.
My new firewall is giving me one hell of a problem.
I'm running iptables and masquerading my intranet
thru NAT. But here is the problem. Whenever I try
to FTP to a server outside of my lan I get a 500
illegal port error.
I've come to the conclusion that NAT is... (2 Replies)
Discussion started by: phrater
2 Replies
4. UNIX for Advanced & Expert Users
Hi,
We have some clients who will place huge files in to one of the remote server.
And the shell script written in our local server to retrieve client files (using FTP) placed on one of the remote server of ours by clients.
My question Is there any FTP command/script to check from my local... (1 Reply)
Discussion started by: nmsrao
1 Replies
5. Shell Programming and Scripting
Hi all,
I'm using the following script to automated ftp files to 1 ftp servers
host=192.168.0.1
/usr/bin/ftp -vi >> $bkplog 2>&1 <<ftp
open $host
bin
cd ${directory}
put $files
quit
ftp
and the .netrc file contain
machine 192.168.0.1
login abc... (4 Replies)
Discussion started by: varu0612
4 Replies
6. Shell Programming and Scripting
Hi everybody. I have the next scenary:
eth0: WAN
eth1: DMZ
eth2: LAN
I need to block all incoming trafic from the internet through my network LAN using iptables. I have squid but i need to do this using ipatbles.
I have been listening about iptables -A FORDAWARD but I am stuck right... (0 Replies)
Discussion started by: edeamat
0 Replies
7. Red Hat
Hi,
Following is the output of iptables -S command
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 192.168.0.5/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.5/32 -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p udp -m udp --dport 20 -j... (3 Replies)
Discussion started by: shahdharmit
3 Replies
8. HP-UX
Hello All,
I am trying to connect to ftp server and get the files. Also i need to rename the file in other ftp dir.
rename method is not allowing me to rename the file in other dir. When i tried copy command by using net::FTP:FILE then perl says it is not installed.
Can some body help me to... (2 Replies)
Discussion started by: krsnadasa
2 Replies
9. IP Networking
I am using vsftp but I can't login with passive mode. I can only login with active mode. I can login with both mode when service of iptables is stop.
In active mode : 20,21 must be open from server site. 1023 and over must be open at client site.
In passive mode : only 21,1023 and over must be... (1 Reply)
Discussion started by: getrue
1 Replies
10. IP Networking
I have a pretty stock iptables script. One rule allows active ftp from an outside IP address. To troubleshoot it, I opened up ftp to all connections from the outside.
When a user outside our domain connects via FTP, they are denied. If I flush the rules, the ftp takes place successfully. This... (2 Replies)
Discussion started by: bricoleur
2 Replies
LEARN ABOUT MOJAVE
info
INFO(5) File Formats Manual INFO(5) NAME
info - readable online documentation DESCRIPTION
The Info file format is an easily-parsable representation for online documents. It can be read by emacs(1) and info(1) among other pro- grams. Info files are usually created from texinfo(5) sources by makeinfo(1), but can be created from scratch if so desired. For a full description of the Texinfo language and associated tools, please see the Texinfo manual (written in Texinfo itself). Most likely, running this command from your shell: info texinfo or this key sequence from inside Emacs: M-x info RET m texinfo RET will get you there. AVAILABILITY
ftp://ftp.gnu.org/pub/gnu/texinfo-<version>.tar.gz or any GNU mirror site. REPORTING BUGS
Please send bug reports to bug-texinfo@gnu.org, general questions and discussion to help-texinfo@gnu.org. SEE ALSO
info(1), install-info(1), makeinfo(1), texi2dvi(1), texindex(1). emacs(1), tex(1). texinfo(5). FSF
GNU Info INFO(5)