On Sun, Jan 23, 2005 at 10:20:28PM -0500, A. Khattri wrote the following: > On Sun, 23 Jan 2005, Joseph A. Nagy, Jr. wrote: > > > On Sun, Jan 23, 2005 at 09:49:44PM -0500, A. Khattri wrote the following: > > > On Sun, 23 Jan 2005, Joseph A. Nagy, Jr. wrote: > > > > > > > Also, whenever I put the port to 21, it goes offline, when I put it to > > > > 20 it > > > > comes back online. For some reason it refuses to use port 21. No > > > > matter. I > > > > set my router to forward external port 21 to internal port 20 and my ftp > > > > client will not connect. It says connection is refused to > > > > joseph-a-nagy-jr.us despite me telling it to connect to > > > > ftp.joseph-a-nagy-jr.us > > > > > > You need both port 20 and 21 for FTP. > > > > Ah. > > > > > Also, you dont say if you're using active or passive ports... > > > > Yeah, I have that enabled, why? > > Some FTP protocol basics: > > With active FTP, your FTP client tells the server what port its gonna use > to connect to the server. The server will make sure its listening on that > port for an incoming connection. If your firewall is blocking that port > though, the server will never see your incoming connection. And since that > port number could be anything between 1024 and 32767, unless you have a > smarter firewall with stateful packet filtering that understands FTP (most > home routers dont), it will fail. > > With passive FTP, the server tells the client what port number to use for > the data connection, the server will listen on the port for your incoming > connection. So, you can tell proftpd to use say, ports 7000 to 7100 for > passive ports, configure your router to allow those ports through > to your FTP server and it will work. > > With passive FTP you can set things up on your router since you know what > port numbers will be used. With active FTP your router wont know what port > number is part of the same FTP session. > > Incidently, I have web servers out there that run proftpd that are locally > firewalled with iptables. However iptables has modules that do stateful > filtering and modules that understand FTP so I dont need to open any ports > regardless of whether its active or passive. >
Okay, I've basically taken the router out of the equation by making my computer the DMZ host. All requsts are sent to me regardless. Still, when I tell proftpd to bind to port 21, it keels over. I commented out the line on passive ports, no change. I tell it to bind to port 20 and it comes back up. Something on my machine is listening to port 21 for some reason. The router shouldn't be, and my ISP doesn't do any port blocking. With what you said above, by me taking my router out of the equation, disabling any forwarding rules in the router config, I should be just as if I were connected directly to my DSL modem. I currently don't have a firewall up (but I do have one I can throw up just by running the init script, the rules are already in place). So what services could possibly be taking up port 21? nmapfe shows only the following: Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-01-23 22:47 CST Interesting ports on 192.168.1.5: (The 1656 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 20/tcp open ftp-data 22/tcp open ssh 25/tcp open smtp 80/tcp open http 113/tcp open auth 783/tcp open hp-alarm-mgr 6000/tcp open X11 Device type: general purpose Running: Linux 2.4.X|2.5.X|2.6.X OS details: Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-rc7) Uptime 0.550 days (since Sun Jan 23 09:34:36 2005) Nmap run completed -- 1 IP address (1 host up) scanned in 2.860 seconds nothing is touching port 21 as far as nmap can see. What's the deal? Yeah, I know. my uptime sucks ass. Blame the bad sectors on my HDD (which is soon to be replaced with some brand new 250GB's from WD). With my firewall (which is now up): Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-01-23 22:49 CST Interesting ports on 192.168.1.5: (The 1659 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 5100/tcp closed admd Device type: general purpose Running: Linux 2.4.X|2.5.X|2.6.X OS details: Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-rc7), Linux 2.6.0 (x86), Linux 2.6.3 - 2.6.8 Uptime 0.552 days (since Sun Jan 23 09:34:36 2005) Nmap run completed -- 1 IP address (1 host up) scanned in 22.646 seconds Which reminds me, I need to open 20-21 on iptables. -- Joseph A. Nagy Jr. AIM: pres CTHULHU | ICQ: 18115568 | Yahoo: pagan_prince | Jabber: DarkKnightRadick@(jabber.org|amessage.at) Libertarian @ Large | PGP: 0xCF7EAA67 | < http://www.joseph-a-nagy-jr.us > | < http://www.jan-jr-ent.biz > < http://games.joseph-a-nagy-ur.us >
pgpbxyIDUsZpE.pgp
Description: PGP signature