[Lancaster] Firewall problem
Ken Hough
kenhough at btinternet.com
Wed Sep 23 09:49:50 UTC 2009
Hi All!
Further to my problem with having access to a vsftp server through a firewall,
it seems that I'm not alone in deciding to open up all TCP ports in the range
49152 to 65535.
See:<http://support.microsoft.com/kb/929851>
but, then Microsoft are not known for always doing the right thing. ;-)
Ken Hough
On Tuesday 22 September 2009 15:01:33 Ken Hough wrote:
> On Tuesday 22 September 2009 12:53:47 Mike Livsey wrote:
> > Does your firewall have application level monitoring?
>
> Not that I've discovered.
>
> > It may be that you need to specifically allow the application to be
> > accessed, as well as opening the relevant ports.
>
> Actually I've solved the problem, sort of!
>
> After many trials, I've discovered that at least two ports are being
> accessed within the range 51000 to 65000.
>
> On checking with <http://www.iana.org/assignments/port-numbers>, I see that
> ports in the range 49152 to 65535 are defined as "DYNAMIC AND/OR PRIVATE
> PORTS".
>
> The vsftpd server is protected from the Internet by my Netgear DG834GT
> router, and I get a clean bill of health from "Shields Up" at www.grc.com.
> ie a report of "True Stealth Mode" for some of the open upper range ports.
>
> Also, I will only enabled vsftpd when I wish to upload/download files to
> another PC on my LAN.
>
> So, until I can find more definative info, I will simply open the whole of
> this upper port range.
>
> Thanks all for support and comments.
>
> Regards
>
> Ken hough
>
> > 2009/9/22 Ken Hough <kenhough at btinternet.com>
> >
> > > On Monday 21 September 2009 16:13:50 Richard Robinson wrote:
> > > > On Mon, Sep 21, 2009 at 02:45:38PM +0100, andy baxter wrote:
> > > > > Sorry I'm confused too. Did you try my suggestion of using
> > > > > wireshark to look at what's happening over the network when you try
> > > > > to connect?
> > > >
> > > > This is probably a stupid comment, I'm not a expert at this stuff & I
> > > > haven't really been paying much attention ... but :- it's not a
> > > > question
> > >
> > > of
> > >
> > > > packet type, is it ? Does the firewall select for TCP / UDP ?
> > >
> > > I've tried enabling UDP on the firewall, but this didn't help.
> > >
> > > Recent tests as follows:
> > >
> > > 1. Accessed vsftpd locally as ftp://localhost (with the firewall
> > > enabled) without any problems. This confirms that vsftpd is working as
> > > I intended.
> > >
> > > 2. Accessing the vsftpd server remotely (with firewall enabled) via my
> > > laptop
> > > running Firefox under winXP again failed. On dropping the firewall on
> > > the server machine, again all was well.
> > >
> > > Clearly:
> > >
> > > -- there is a problem with the firewall on the server machine.
> > >
> > > -- the setup on the laptop PC is working!
> > >
> > >
> > > As Andy recommended, I installed 'wireshark' on the laptop machine.
> > > This runs
> > > OK, but before commenting on what I found, I'd like to spend a bit of
> > > time figuring out all of what it told me.
> > >
> > > It does seem that with the firewall running, I get a connection, but
> > > this is
> > > then dropped.
> > >
> > > Ho hum! Life is fun! :-)
> > >
> > > Further investigation has shown that one or more TCP ports in the range
> > > 50000
> > > to 55000 is/are being accessed. ie if I enable this range, I get full
> > > access.
> > >
> > > A bit more experimentation should allow me to home in of the ports
> > > needed. :-)
> > >
> > > Ken Hough
> > >
> > > _______________________________________________
> > > Lancaster mailing list
> > > Lancaster at mailman.lug.org.uk
> > > https://mailman.lug.org.uk/mailman/listinfo/lancaster
>
> _______________________________________________
> Lancaster mailing list
> Lancaster at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/lancaster
More information about the Lancaster
mailing list