:-D my pleasure :-D
Have fun.... 2009/1/21 Fuchs, Martin <martin.fu...@trendchiller.com> > :-) > > For the usernames and passwords, there are no users, it's just me to > configure the accounts so I hope it's a bit more secure ;-) thanks a lot for > your help... > > -----Ursprüngliche Nachricht----- > Von: Michael Schuh [mailto:michael.sc...@gmail.com] > Gesendet: Dienstag, 20. Januar 2009 01:18 > An: support@pfsense.com > Betreff: Re: [pfSense Support] FTP Server in Routed DMZ > > :-D > > Any objections against active FTP data ? > No. Not really (i think so), ftp-protocol is ftp-protocol regardless > of the used ports.... > > But objections against some ftp-Server-software.... *grin* > like proftpd or some others with sporadic but serious bugs..... > every time hold an open eye on Bug-Lists and Security Certs ... > > in my own experience, most servers getting defaced > through an buggy ftp-server.....first target for hackers, > because many ftp-servers allow anonymous ftp-login or have > weak user accounts or passwords, this in combination with an > buggy ftp-server is really dangerous.... > > but this is eventually off topic.....for this list > > 2009/1/20 Fuchs, Martin <martin.fu...@trendchiller.com>: > > Hi ! > > > > I opened up port 20 for active FTP data from the DMZ now and the upper > ports defined in the server for passive FTP data from WAN to DMZ... > > > > I works... > > > > Any objections against active FTP data ? > > > > Regards, > > > > martin > > > > -----Ursprüngliche Nachricht----- > > Von: Michael Schuh [mailto:michael.sc...@gmail.com] > > Gesendet: Dienstag, 20. Januar 2009 00:41 > > An: support@pfsense.com > > Betreff: Re: [pfSense Support] FTP Server in Routed DMZ > > > > Hmm, > > hi martin, > > > > i has made such a config, and i have for me realized, that > > i have 2 options > > a) ftp-Server w/ ftp-proxy on WAN, IIRC this needs special setup in > XML-Config > > also result is : i can't use the ftp-proxy on lan interface > > I be not 100% sure but i believe i remember me that the activation of > > ftp-proxy on WAN > > is not possible from Browser-User-Interface, > > > > b) open ftp-highrange-ports from wan to ftp-server and you can use > > ftp-proxy for users > > from lan.....if you like to do so.... > > > > i have used option b) because it is no security risk if no other > > services listen on such a port > > on the ftp-server-system, the port on the ftp-servers system is only > opened if > > a ftp-user made a transfer....this behavior underlays the > > ftp-protocols features of > > PASV switching. Other words active ftp-transfer or passive. this is > > handled by the ftp-protocol > > between server and each individual client. > > with option b) you are on the secure side that every User ( if it has > > experiences or not) > > can make transfers from and to the ftp-server, regardless of > transfer-mode. > > Works all the time. > > > > Special attention is only needed if another Service listen on the ports > > that you must open for ftp-server ( in almost cases not given). > > > > cheers > > > > michael > > > > 2009/1/20 Fuchs, Martin <martin.fu...@trendchiller.com>: > >> No problem ;-) > >> > >> Thats the answer i expected... > >> > >> So there is really no way to accomplish this with some kind of > FTP-helper used in pfSense to open up just a few ports... ? > >> I really need the whole portrange for FTP to be opened as defined in the > FTP-server ? > >> > >> Thanks so far for your help ;-) > >> > >> Regards, > >> > >> martin > >> > >> -----Ursprüngliche Nachricht----- > >> Von: Michael Schuh [mailto:michael.sc...@gmail.com] > >> Gesendet: Dienstag, 20. Januar 2009 00:27 > >> An: support@pfsense.com > >> Betreff: Re: [pfSense Support] FTP Server in Routed DMZ > >> > >> Hi, > >> > >> in my possible solution NO, because you use the ftp-server w/o > >> Proxy. Communication goes directly to your ftp-server. > >> Please checkout also the portranges from your ftp-server > >> if it is not an OpenFTPD (used by FreeBSD/OpenBSD). It can differ > >> from the ports that i have described. (sorry i have forgotten to say, > >> that my tips are related to this ftpd). > >> > >> The proxy is needed for the users in your holy internal LAN. > >> > >> 2009/1/20 Fuchs, Martin <martin.fu...@trendchiller.com>: > >>> Should the FTP-helper service be activated or deactivated on the > WAN-Interface ? > >>> > >>> -----Ursprüngliche Nachricht----- > >>> Von: Michael Schuh [mailto:michael.sc...@gmail.com] > >>> Gesendet: Dienstag, 20. Januar 2009 00:14 > >>> An: support@pfsense.com > >>> Betreff: Re: [pfSense Support] FTP Server in Routed DMZ > >>> > >>> Hi, > >>> > >>> solution: > >>> Open the Ports described in man 4 ip IP_PORTRANGE_HIGH > >>> referenced by man ftp-proxy or lookup in sysctl net.inet.ip.portrange > >>> like: > >>> net.inet.ip.portrange.hilast: 65535 > >>> net.inet.ip.portrange.hifirst: 49152 > >>> net.inet.ip.portrange.last: 65535 > >>> net.inet.ip.portrange.first: 49152 > >>> > >>> from WAN to your FTP server and all gets fine. > >>> > >>> regards > >>> > >>> michael. > >>> > >>> > >>> > >>> 2009/1/20 Fuchs, Martin <martin.fu...@trendchiller.com>: > >>>> Hi ! > >>>> > >>>> I have set up a FTP server in my DMZ with an official IP address. > >>>> From WAN -> DMZ the IPs are routed (no NAT). > >>>> I opened up port 21 from WAN -> DMZ for FTP but of course I cannot > transfer any files. > >>>> It seems to require some more ports, so I thought the FTP-helper on > the WAN-side could be helpful, but this also does not work... > >>>> > >>>> Does anyone have any idea how to set this up without opening this ton > of ports FTP requires ? > >>>> > >>>> I know FTP is not the preferred way, but we need this :-( > >>>> > >>>> I'd be thankful for every hint... > >>>> > >>>> Active FTP is not really an option because most FTP-clients live > behind NAT devices so there's the problem of the data-connection again... > >>>> > >>>> Regards, > >>>> > >>>> Martin > >>>> > >>>> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com > >>>> For additional commands, e-mail: support-h...@pfsense.com > >>>> > >>>> Commercial support available - https://portal.pfsense.org > >>>> > >>>> > >>> > >>> > >>> > >>> -- > >>> === m i c h a e l - s c h u h . n e t === > >>> Michael Schuh > >>> Postfach 10 21 52 > >>> 66021 Saarbrücken > >>> phone: 0681/8319664 > >>> mobil: 0177/9738644 > >>> @: m i c h a e l . s c h u h @ g m a i l . c o m > >>> > >>> === Ust-ID: DE251072318 === > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com > >>> For additional commands, e-mail: support-h...@pfsense.com > >>> > >>> Commercial support available - https://portal.pfsense.org > >>> > >>> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com > >>> For additional commands, e-mail: support-h...@pfsense.com > >>> > >>> Commercial support available - https://portal.pfsense.org > >>> > >>> > >> > >> > >> > >> -- > >> === m i c h a e l - s c h u h . n e t === > >> Michael Schuh > >> Postfach 10 21 52 > >> 66021 Saarbrücken > >> phone: 0681/8319664 > >> mobil: 0177/9738644 > >> @: m i c h a e l . s c h u h @ g m a i l . c o m > >> > >> === Ust-ID: DE251072318 === > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com > >> For additional commands, e-mail: support-h...@pfsense.com > >> > >> Commercial support available - https://portal.pfsense.org > >> > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com > >> For additional commands, e-mail: support-h...@pfsense.com > >> > >> Commercial support available - https://portal.pfsense.org > >> > >> > > > > > > > > -- > > === m i c h a e l - s c h u h . n e t === > > Michael Schuh > > Postfach 10 21 52 > > 66021 Saarbrücken > > phone: 0681/8319664 > > mobil: 0177/9738644 > > @: m i c h a e l . s c h u h @ g m a i l . c o m > > > > === Ust-ID: DE251072318 === > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > > For additional commands, e-mail: support-h...@pfsense.com > > > > Commercial support available - https://portal.pfsense.org > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > > For additional commands, e-mail: support-h...@pfsense.com > > > > Commercial support available - https://portal.pfsense.org > > > > > > > > -- > === m i c h a e l - s c h u h . n e t === > Michael Schuh > Postfach 10 21 52 > 66021 Saarbrücken > phone: 0681/8319664 > mobil: 0177/9738644 > @: m i c h a e l . s c h u h @ g m a i l . c o m > > === Ust-ID: DE251072318 === > > --------------------------------------------------------------------- > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 ===