I had great difficulty getting passive mode to work on a 2.2.x box with IP masq'd. From what I've heard, IPtables handles that better than ipchains, but I haven't had the opportunity to try that.
I don't use wu-ftpd, due to the countless amounts of security holes it contains. I use pureftpd (http://pureftpd.sourceforge.net). It allows me to specify the passive ports, and spoof the passive IP address that gets passed as well. If you're ftp server has a real world IP, then your task will be significantly easier. But more info is needed. -Rob > Robert, > > Thanks for explaining that to us. I thought that was how it was. > > My question then, remains:- > > If I want the server to support passive mode, and open up a set of ports to > support it, how do I instruct the wu-ftpd to use the set of ports that I > have opened up? I cannot see any configuration options in kwuftpd that > address this. > > Thanks, > > Julian. > ==================================== > At 07:27 AM 1/17/02, you wrote: > >Rob, you're close, but have a few things mixed up. > > > >You're control port (21) will always stay static on that port. It will > >never change unless someone configure the FTP server to listen on a > >different port. > > > >Port 20 (the data port) is for active connections. It too is statically > >bound to that port. It will never change. however, this is somewhat > >insecure, since haxors can use sniffing devices to listen to data > >passing on that port. > > > >Hence the introduction of passive connections. When a data transfer is > >about to commence, the FTP server sends a port number to the client, > >telling it what port the client should communicate on (it's usually a > >really high port > 1024). Each time a FTP server must communicate via > >passive mode, a different port is randomly chosen as to lower the > >possibility of sniffed data. > > > >The FTP client controls whether an active/passive connection is used. > >However, certain FTP clients don't give you the option to use either or > >(ie: Win95 DOS ftp). > > > >-Rob > > > > > Hey Julian, > > > > > > Yes, there's something about that. Passive ftp vs active. Active ftp will > > > jump around with it use of ports (I don't know if it's the data, > > control, or > > > both that actually jump). > > > I'm not sure if you can tell the server whether or not to use passive, > > but I > > > know you can tell the client. Sometimes people forget that IE can be > > used as > > > an ftp client, so don't forget to set the passive ftp check box in the IE > > > tools/options area. > > > > > > Hopefully you won't need a whole book on ftp. It's a lot less complex than > > > something like email or DNS!! > > > > > > Nice to see you around again Julian! > > > > > > Rob > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]]On Behalf Of Julian Opificius > > > Sent: Wednesday, January 16, 2002 7:48 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: NAT and FTP > > > > > > > > > Cheers Robert. Is it always port 20? Somehow I thought that a different > > > port was opened up for every simultaneous connection. > > > > > > I sense the imminent need to purchase another O'Reilly book ... ;-) > > > > > > julian. > > > > > > > > > At 09:35 PM 1/16/02, you wrote: > > > >One port's for control and one's for data: > > > > > > > >make sure you check this out: "cat /etc/services | grep ftp" > > > > > > > >Rob > > > > > > > > > > > >-----Original Message----- > > > >From: [EMAIL PROTECTED] > > > >[mailto:[EMAIL PROTECTED]]On Behalf Of Julian Opificius > > > >Sent: Wednesday, January 16, 2002 7:12 PM > > > >To: [EMAIL PROTECTED] > > > >Subject: Re: NAT and FTP > > > > > > > > > > > >Why's that? > > > > > > > >j. > > > >=================== > > > >At 08:58 PM 1/16/02, you wrote: > > > > >You might want to open up port 20, as well. > > > > > > > > > >On Wed, 16 Jan 2002, Julian Opificius wrote: > > > > > > > > > > > Hi folks, > > > > > > > > > > > > I'm using NAT on my Cisco 678 DSL modem, to connect my real IP > > into my > > > > > > private LAN. > > > > > > I want to run an FTP server on my Linux box, accessible from the > > > outside > > > > > > world. I know I have to open up port 21, 'cos it's the FTP control > > > port, > > > > > > but do I have to open up any other ports in order to allow data > > > >transfers? > > > > > > > > > > > > julian. > > > > > > > > > > > > ---------------------------------------------------------------- > > > > > > Just because I'm paranoid doesn't mean they aren't after me ... > > > > > > > > > > > > Julian Opificius. ICQ 3268206. > > > > > > ---------------------------------------------------------------- > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > Redhat-list mailing list > > > > > > [EMAIL PROTECTED] > > > > > > https://listman.redhat.com/mailman/listinfo/redhat-list > > > > > > > > > > > > > > > > > > > > > > > > > >_______________________________________________ > > > > >Redhat-list mailing list > > > > >[EMAIL PROTECTED] > > > > >https://listman.redhat.com/mailman/listinfo/redhat-list > > > > > > > >---------------------------------------------------------------- > > > >Just because I'm paranoid doesn't mean they aren't after me ... > > > > > > > >Julian Opificius. ICQ 3268206. > > > >---------------------------------------------------------------- > > > > > > > > > > > > > > > >_______________________________________________ > > > >Redhat-list mailing list > > > >[EMAIL PROTECTED] > > > >https://listman.redhat.com/mailman/listinfo/redhat-list > > > > > > > > > > > > > > > >_______________________________________________ > > > >Redhat-list mailing list > > > >[EMAIL PROTECTED] > > > >https://listman.redhat.com/mailman/listinfo/redhat-list > > > > > > ---------------------------------------------------------------- > > > From my wife: "I'm not playing mind games with you, I'm just making you > > > think I'm playing mind games with you ..." > > > > > > Julian Opificius. ICQ 3268206. > > > ---------------------------------------------------------------- > > > > > > > > > > > > _______________________________________________ > > > Redhat-list mailing list > > > [EMAIL PROTECTED] > > > https://listman.redhat.com/mailman/listinfo/redhat-list > > > > > > > > > > > > _______________________________________________ > > > Redhat-list mailing list > > > [EMAIL PROTECTED] > > > https://listman.redhat.com/mailman/listinfo/redhat-list > > > > >-- > > > >-Rob > > > > > > > >_______________________________________________ > >Redhat-list mailing list > >[EMAIL PROTECTED] > >https://listman.redhat.com/mailman/listinfo/redhat-list > > ---------------------------------------------------------------- > Just because I'm paranoid doesn't mean they aren't after me ... > > Julian Opificius. ICQ 3268206. > ---------------------------------------------------------------- > > > > _______________________________________________ > Redhat-list mailing list > [EMAIL PROTECTED] > https://listman.redhat.com/mailman/listinfo/redhat-list > -- -Rob _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
