[Lancaster] firewall

Ken Hough kenhough at btinternet.com
Wed Sep 23 14:35:45 UTC 2009 

Hi Wayne!

I agree that it's not good to have all of those ports open, but until I can 
establish just which of these upper ports are needed, and for what 
applications, I'm taking the easy way out.

To recap:

If I use a simple ternimal based ftp client, the matter is simple. Port 21 
does the job!

To achieve ftp via the likes of Firefox or via Windows with "My Comptuter/My 
Network Places", ports in the upper range must be opened.

By gradually closing in the lower and upper port range limits on the firewall 
that protects the vsftp server, I established that at least two ports were 
being used between something like 51000 and 65000. At this stage, I got fed 
up. A study of the output from 'wireshark' might throw further light on this.

I've not been able to discover any published information about which of the 
upper ports are used and whether these are always the same. So, at this stage 
I've decided to take the easy way out.

As I mentioned in a previus message, Microsoft seem to have come a similar 
conclusion.

Again, as I mentioned previously, only computers on my LAN can have direct 
access to the vsftp server and it's firewall, and it's only me who uses the 
LAN. Checks with "Shields Up" at www.grc.com confirm that my LAN cannot be 
seen from the Internet.

Regards

Ken hough

On Wednesday 23 September 2009 13:35:06 Wayne Ward wrote:
> This all seems odd can you not just setup a trusted ip from the box
> that is not allowing the connections
> because opening them ports just isnt right!!
>
> if the connection is say 192.168.1.1 -> all all from 192.168.1.1 ??
> instead of just port 21 etc
>
> ive opened ftp on my firewalls before and never had this problem
>
>
> can you send my a rough picture again so i can see whats going on !!
> sorry ive been busy and missed this one !! lol
>
> On 23 Sep 2009, at 23/09/2009-10:49, Ken Hough wrote:
> > Hi All!
> >
> > Further to my problem with having access to a vsftp server through a
> > firewall,
> > it seems that I'm not alone in deciding to open up all TCP ports in
> > the range
> > 49152 to 65535.
> >
> > See:<http://support.microsoft.com/kb/929851>
> >
> > but, then Microsoft are not known for always doing the right
> > thing.  ;-)
> >
> > Ken Hough
> >
> > On Tuesday 22 September 2009 15:01:33 Ken Hough wrote:
> >> On Tuesday 22 September 2009 12:53:47 Mike Livsey wrote:
> >>> Does your firewall have application level monitoring?
> >>
> >> Not that I've discovered.
> >>
> >>> It may be that you need to specifically allow the application to be
> >>> accessed, as well as opening the relevant ports.
> >>
> >> Actually I've solved the problem, sort of!
> >>
> >> After many trials, I've discovered that at least two ports are being
> >> accessed within the range 51000 to 65000.
> >>
> >> On checking with <http://www.iana.org/assignments/port-numbers>, I
> >> see that
> >> ports in the range 49152 to 65535 are defined as "DYNAMIC AND/OR
> >> PRIVATE
> >> PORTS".
> >>
> >> The vsftpd server is protected from the Internet by my Netgear
> >> DG834GT
> >> router, and I get a clean bill of health from "Shields Up" at
> >> www.grc.com .
> >> ie a report of "True Stealth Mode" for some of the open upper range
> >> ports.
> >>
> >> Also, I will only enabled vsftpd when I wish to upload/download
> >> files to
> >> another PC on my LAN.
> >>
> >> So, until I can find more definative info, I will simply open the
> >> whole of
> >> this upper port range.
> >>
> >> Thanks all for support and comments.
> >>
> >> Regards
> >>
> >> Ken hough
> >>
> >>> 2009/9/22 Ken Hough <kenhough at btinternet.com>
> >>>
> >>>> On Monday 21 September 2009 16:13:50 Richard Robinson wrote:
> >>>>> On Mon, Sep 21, 2009 at 02:45:38PM +0100, andy baxter wrote:
> >>>>>> Sorry I'm confused too. Did you try my suggestion of using
> >>>>>> wireshark to look at what's happening over the network when you
> >>>>>> try
> >>>>>> to connect?
> >>>>>
> >>>>> This is probably a stupid comment, I'm not a expert at this
> >>>>> stuff & I
> >>>>> haven't really been paying much attention ... but :- it's not a
> >>>>> question
> >>>>
> >>>> of
> >>>>
> >>>>> packet type, is it ? Does the firewall select for TCP / UDP ?
> >>>>
> >>>> I've tried enabling UDP on the firewall, but this didn't help.
> >>>>
> >>>> Recent tests as follows:
> >>>>
> >>>> 1. Accessed vsftpd locally as ftp://localhost (with the firewall
> >>>> enabled) without any problems. This confirms that vsftpd is
> >>>> working as
> >>>> I intended.
> >>>>
> >>>> 2. Accessing the vsftpd server remotely (with firewall enabled)
> >>>> via my
> >>>> laptop
> >>>> running Firefox under winXP again failed. On dropping the
> >>>> firewall on
> >>>> the server machine, again all was well.
> >>>>
> >>>> Clearly:
> >>>>
> >>>> --  there is a problem with the firewall on the server machine.
> >>>>
> >>>> --  the setup on the laptop PC is working!
> >>>>
> >>>>
> >>>> As Andy recommended, I installed 'wireshark' on the laptop machine.
> >>>> This runs
> >>>> OK, but before commenting on what I found, I'd like to spend a
> >>>> bit of
> >>>> time figuring out all of what it told me.
> >>>>
> >>>> It does seem that with the firewall running, I get a connection,
> >>>> but
> >>>> this is
> >>>> then dropped.
> >>>>
> >>>> Ho hum! Life is fun!  :-)
> >>>>
> >>>> Further investigation has shown that one or more TCP ports in the
> >>>> range
> >>>> 50000
> >>>> to 55000 is/are being accessed. ie if I enable this range, I get
> >>>> full
> >>>> access.
> >>>>
> >>>> A bit more experimentation should allow me to home in of the ports
> >>>> needed.  :-)
> >>>>
> >>>> Ken Hough
> >>>>
> >>>> _______________________________________________
> >>>> Lancaster mailing list
> >>>> Lancaster at mailman.lug.org.uk
> >>>> https://mailman.lug.org.uk/mailman/listinfo/lancaster
> >>
> >> _______________________________________________
> >> Lancaster mailing list
> >> Lancaster at mailman.lug.org.uk
> >> https://mailman.lug.org.uk/mailman/listinfo/lancaster
> >
> > _______________________________________________
> > Lancaster mailing list
> > Lancaster at mailman.lug.org.uk
> > https://mailman.lug.org.uk/mailman/listinfo/lancaster
>
> Regards,
> Wayne Ward
>
> 07957448652
>
> Lancaster Computers
>
> www.lancastercomputers.co.uk
> wayne at lancastercomputers.co.uk
>
> Computers - Laptops - Servers - Web Services
>
>
>
>
>
>
> Wayne
> Regards,
> Wayne Ward
>
> 07957448652
>
> Lancaster Computers
>
> www.lancastercomputers.co.uk
> wayne at lancastercomputers.co.uk
>
> Computers - Laptops - Servers - Web Services

More information about the Lancaster mailing list