I'd be interested in your IPtables / pureftpd setup on this. I'm running pure-ftpd also, and I haven't even tried to setup passive mode. heck it's possible that I've got it enabled ;-)
> -----Original Message----- > From: Robert Dege [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 17, 2002 10:03 AM > To: [EMAIL PROTECTED] > Subject: RE: NAT and FTP > > > > I had great difficulty getting passive mode to work on a > 2.2.x box with > IP masq'd. From what I've heard, IPtables handles that better than > ipchains, but I haven't had the opportunity to try that. > > I don't use wu-ftpd, due to the countless amounts of security holes it > contains. I use pureftpd (http://pureftpd.sourceforge.net). > It allows > me to specify the passive ports, and spoof the passive IP address that > gets passed as well. > > If you're ftp server has a real world IP, then your task will be > significantly easier. But more info is needed. > > -Rob > > > > Robert, > > > > Thanks for explaining that to us. I thought that was how it was. > > > > My question then, remains:- > > > > If I want the server to support passive mode, and open up a > set of ports to > > support it, how do I instruct the wu-ftpd to use the set of > ports that I > > have opened up? I cannot see any configuration options in > kwuftpd that > > address this. > > > > Thanks, > > > > Julian. > > ==================================== > > At 07:27 AM 1/17/02, you wrote: > > >Rob, you're close, but have a few things mixed up. > > > > > >You're control port (21) will always stay static on that > port. It will > > >never change unless someone configure the FTP server to listen on a > > >different port. > > > > > >Port 20 (the data port) is for active connections. It too > is statically > > >bound to that port. It will never change. however, this > is somewhat > > >insecure, since haxors can use sniffing devices to listen to data > > >passing on that port. > > > > > >Hence the introduction of passive connections. When a > data transfer is > > >about to commence, the FTP server sends a port number to > the client, > > >telling it what port the client should communicate on > (it's usually a > > >really high port > 1024). Each time a FTP server must > communicate via > > >passive mode, a different port is randomly chosen as to lower the > > >possibility of sniffed data. > > > > > >The FTP client controls whether an active/passive > connection is used. > > >However, certain FTP clients don't give you the option to > use either or > > >(ie: Win95 DOS ftp). > > > > > >-Rob > > > > > > > Hey Julian, > > > > > > > > Yes, there's something about that. Passive ftp vs > active. Active ftp will > > > > jump around with it use of ports (I don't know if it's > the data, > > > control, or > > > > both that actually jump). > > > > I'm not sure if you can tell the server whether or not > to use passive, > > > but I > > > > know you can tell the client. Sometimes people forget > that IE can be > > > used as > > > > an ftp client, so don't forget to set the passive ftp > check box in the IE > > > > tools/options area. > > > > > > > > Hopefully you won't need a whole book on ftp. It's a > lot less complex than > > > > something like email or DNS!! > > > > > > > > Nice to see you around again Julian! > > > > > > > > Rob > > > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED]]On Behalf Of > Julian Opificius > > > > Sent: Wednesday, January 16, 2002 7:48 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: NAT and FTP > > > > > > > > > > > > Cheers Robert. Is it always port 20? Somehow I thought > that a different > > > > port was opened up for every simultaneous connection. > > > > > > > > I sense the imminent need to purchase another O'Reilly > book ... ;-) > > > > > > > > julian. > > > > > > > > > > > > At 09:35 PM 1/16/02, you wrote: > > > > >One port's for control and one's for data: > > > > > > > > > >make sure you check this out: "cat /etc/services | grep ftp" > > > > > > > > > >Rob > > > > > > > > > > > > > > >-----Original Message----- > > > > >From: [EMAIL PROTECTED] > > > > >[mailto:[EMAIL PROTECTED]]On Behalf Of > Julian Opificius > > > > >Sent: Wednesday, January 16, 2002 7:12 PM > > > > >To: [EMAIL PROTECTED] > > > > >Subject: Re: NAT and FTP > > > > > > > > > > > > > > >Why's that? > > > > > > > > > >j. > > > > >=================== > > > > >At 08:58 PM 1/16/02, you wrote: > > > > > >You might want to open up port 20, as well. > > > > > > > > > > > >On Wed, 16 Jan 2002, Julian Opificius wrote: > > > > > > > > > > > > > Hi folks, > > > > > > > > > > > > > > I'm using NAT on my Cisco 678 DSL modem, to > connect my real IP > > > into my > > > > > > > private LAN. > > > > > > > I want to run an FTP server on my Linux box, > accessible from the > > > > outside > > > > > > > world. I know I have to open up port 21, 'cos > it's the FTP control > > > > port, > > > > > > > but do I have to open up any other ports in order > to allow data > > > > >transfers? > > > > > > > > > > > > > > julian. > > > > > > > > > > > > > > > ---------------------------------------------------------------- > > > > > > > Just because I'm paranoid doesn't mean they > aren't after me ... > > > > > > > > > > > > > > Julian Opificius. ICQ 3268206. > > > > > > > > ---------------------------------------------------------------- > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Redhat-list mailing list > > > > > > > [EMAIL PROTECTED] > > > > > > > https://listman.redhat.com/mailman/listinfo/redhat-list > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >_______________________________________________ > > > > > >Redhat-list mailing list > > > > > >[EMAIL PROTECTED] > > > > > >https://listman.redhat.com/mailman/listinfo/redhat-list > > > > > > > > > > >---------------------------------------------------------------- > > > > >Just because I'm paranoid doesn't mean they aren't after me ... > > > > > > > > > >Julian Opificius. ICQ 3268206. > > > > > >---------------------------------------------------------------- > > > > > > > > > > > > > > > > > > > >_______________________________________________ > > > > >Redhat-list mailing list > > > > >[EMAIL PROTECTED] > > > > >https://listman.redhat.com/mailman/listinfo/redhat-list > > > > > > > > > > > > > > > > > > > >_______________________________________________ > > > > >Redhat-list mailing list > > > > >[EMAIL PROTECTED] > > > > >https://listman.redhat.com/mailman/listinfo/redhat-list > > > > > > > > ---------------------------------------------------------------- > > > > From my wife: "I'm not playing mind games with you, > I'm just making you > > > > think I'm playing mind games with you ..." > > > > > > > > Julian Opificius. ICQ 3268206. > > > > ---------------------------------------------------------------- > > > > > > > > > > > > > > > > _______________________________________________ > > > > Redhat-list mailing list > > > > [EMAIL PROTECTED] > > > > https://listman.redhat.com/mailman/listinfo/redhat-list > > > > > > > > > > > > > > > > _______________________________________________ > > > > Redhat-list mailing list > > > > [EMAIL PROTECTED] > > > > https://listman.redhat.com/mailman/listinfo/redhat-list > > > > > > >-- > > > > > >-Rob > > > > > > > > > > > >_______________________________________________ > > >Redhat-list mailing list > > >[EMAIL PROTECTED] > > >https://listman.redhat.com/mailman/listinfo/redhat-list > > > > ---------------------------------------------------------------- > > Just because I'm paranoid doesn't mean they aren't after me ... > > > > Julian Opificius. ICQ 3268206. > > ---------------------------------------------------------------- > > > > > > > > _______________________________________________ > > Redhat-list mailing list > > [EMAIL PROTECTED] > > https://listman.redhat.com/mailman/listinfo/redhat-list > > > -- > > -Rob > > > > _______________________________________________ > Redhat-list mailing list > [EMAIL PROTECTED] > https://listman.redhat.com/mailman/listinfo/redhat-list > _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list