:-D > Any objections against active FTP data ? No. Not really (i think so), ftp-protocol is ftp-protocol regardless of the used ports....
But objections against some ftp-Server-software.... *grin* like proftpd or some others with sporadic but serious bugs..... every time hold an open eye on Bug-Lists and Security Certs ... in my own experience, most servers getting defaced through an buggy ftp-server.....first target for hackers, because many ftp-servers allow anonymous ftp-login or have weak user accounts or passwords, this in combination with an buggy ftp-server is really dangerous.... but this is eventually off topic.....for this list 2009/1/20 Fuchs, Martin <[email protected]>: > Hi ! > > I opened up port 20 for active FTP data from the DMZ now and the upper ports > defined in the server for passive FTP data from WAN to DMZ... > > I works... > > Any objections against active FTP data ? > > Regards, > > martin > > -----Ursprüngliche Nachricht----- > Von: Michael Schuh [mailto:[email protected]] > Gesendet: Dienstag, 20. Januar 2009 00:41 > An: [email protected] > Betreff: Re: [pfSense Support] FTP Server in Routed DMZ > > Hmm, > hi martin, > > i has made such a config, and i have for me realized, that > i have 2 options > a) ftp-Server w/ ftp-proxy on WAN, IIRC this needs special setup in XML-Config > also result is : i can't use the ftp-proxy on lan interface > I be not 100% sure but i believe i remember me that the activation of > ftp-proxy on WAN > is not possible from Browser-User-Interface, > > b) open ftp-highrange-ports from wan to ftp-server and you can use > ftp-proxy for users > from lan.....if you like to do so.... > > i have used option b) because it is no security risk if no other > services listen on such a port > on the ftp-server-system, the port on the ftp-servers system is only opened if > a ftp-user made a transfer....this behavior underlays the > ftp-protocols features of > PASV switching. Other words active ftp-transfer or passive. this is > handled by the ftp-protocol > between server and each individual client. > with option b) you are on the secure side that every User ( if it has > experiences or not) > can make transfers from and to the ftp-server, regardless of transfer-mode. > Works all the time. > > Special attention is only needed if another Service listen on the ports > that you must open for ftp-server ( in almost cases not given). > > cheers > > michael > > 2009/1/20 Fuchs, Martin <[email protected]>: >> No problem ;-) >> >> Thats the answer i expected... >> >> So there is really no way to accomplish this with some kind of FTP-helper >> used in pfSense to open up just a few ports... ? >> I really need the whole portrange for FTP to be opened as defined in the >> FTP-server ? >> >> Thanks so far for your help ;-) >> >> Regards, >> >> martin >> >> -----Ursprüngliche Nachricht----- >> Von: Michael Schuh [mailto:[email protected]] >> Gesendet: Dienstag, 20. Januar 2009 00:27 >> An: [email protected] >> Betreff: Re: [pfSense Support] FTP Server in Routed DMZ >> >> Hi, >> >> in my possible solution NO, because you use the ftp-server w/o >> Proxy. Communication goes directly to your ftp-server. >> Please checkout also the portranges from your ftp-server >> if it is not an OpenFTPD (used by FreeBSD/OpenBSD). It can differ >> from the ports that i have described. (sorry i have forgotten to say, >> that my tips are related to this ftpd). >> >> The proxy is needed for the users in your holy internal LAN. >> >> 2009/1/20 Fuchs, Martin <[email protected]>: >>> Should the FTP-helper service be activated or deactivated on the >>> WAN-Interface ? >>> >>> -----Ursprüngliche Nachricht----- >>> Von: Michael Schuh [mailto:[email protected]] >>> Gesendet: Dienstag, 20. Januar 2009 00:14 >>> An: [email protected] >>> Betreff: Re: [pfSense Support] FTP Server in Routed DMZ >>> >>> Hi, >>> >>> solution: >>> Open the Ports described in man 4 ip IP_PORTRANGE_HIGH >>> referenced by man ftp-proxy or lookup in sysctl net.inet.ip.portrange >>> like: >>> net.inet.ip.portrange.hilast: 65535 >>> net.inet.ip.portrange.hifirst: 49152 >>> net.inet.ip.portrange.last: 65535 >>> net.inet.ip.portrange.first: 49152 >>> >>> from WAN to your FTP server and all gets fine. >>> >>> regards >>> >>> michael. >>> >>> >>> >>> 2009/1/20 Fuchs, Martin <[email protected]>: >>>> Hi ! >>>> >>>> I have set up a FTP server in my DMZ with an official IP address. >>>> From WAN -> DMZ the IPs are routed (no NAT). >>>> I opened up port 21 from WAN -> DMZ for FTP but of course I cannot >>>> transfer any files. >>>> It seems to require some more ports, so I thought the FTP-helper on the >>>> WAN-side could be helpful, but this also does not work... >>>> >>>> Does anyone have any idea how to set this up without opening this ton of >>>> ports FTP requires ? >>>> >>>> I know FTP is not the preferred way, but we need this :-( >>>> >>>> I'd be thankful for every hint... >>>> >>>> Active FTP is not really an option because most FTP-clients live behind >>>> NAT devices so there's the problem of the data-connection again... >>>> >>>> Regards, >>>> >>>> Martin >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [email protected] >>>> For additional commands, e-mail: [email protected] >>>> >>>> Commercial support available - https://portal.pfsense.org >>>> >>>> >>> >>> >>> >>> -- >>> === m i c h a e l - s c h u h . n e t === >>> Michael Schuh >>> Postfach 10 21 52 >>> 66021 Saarbrücken >>> phone: 0681/8319664 >>> mobil: 0177/9738644 >>> @: m i c h a e l . s c h u h @ g m a i l . c o m >>> >>> === Ust-ID: DE251072318 === >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >>> Commercial support available - https://portal.pfsense.org >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >>> Commercial support available - https://portal.pfsense.org >>> >>> >> >> >> >> -- >> === m i c h a e l - s c h u h . n e t === >> Michael Schuh >> Postfach 10 21 52 >> 66021 Saarbrücken >> phone: 0681/8319664 >> mobil: 0177/9738644 >> @: m i c h a e l . s c h u h @ g m a i l . c o m >> >> === Ust-ID: DE251072318 === >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> Commercial support available - https://portal.pfsense.org >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> Commercial support available - https://portal.pfsense.org >> >> > > > > -- > === m i c h a e l - s c h u h . n e t === > Michael Schuh > Postfach 10 21 52 > 66021 Saarbrücken > phone: 0681/8319664 > mobil: 0177/9738644 > @: m i c h a e l . s c h u h @ g m a i l . c o m > > === Ust-ID: DE251072318 === > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > > -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 === --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
