[Lancaster] Fwd: firewall

Ken Hough kenhough at btinternet.com
Fri Sep 25 10:56:23 UTC 2009


On Thursday 24 September 2009 23:12:34 Wayne Ward wrote:
> > Sounds like you just need to use active ftp on the client just so
> > port 21 is open.

No! That doesn't work!

I've tried running with ports 20 and 21 open. This is fine for a simple 
terminal based ftp client, but access via the likes of Firefox does not work!

As soon as I open the upper port range everything is OK.

> >
> > read here this explains
> >
> > http://slacksite.com/other/ftp.html
> >
> > Wayne

I've not yet had time to read the article at the link that you gave, or to 
play again with wireshark, so perhaps there's something relating to config of 
the vsftp server that I'm missing.

But for now, I do need those upper ports for things to work properly.

Ken Hough

> >
> > On 23 Sep 2009, at 23/09/2009-15:35, Ken Hough wrote:
> >> Hi Wayne!
> >>
> >> I agree that it's not good to have all of those ports open, but
> >> until I can
> >> establish just which of these upper ports are needed, and for what
> >> applications, I'm taking the easy way out.
> >>
> >> To recap:
> >>
> >> If I use a simple ternimal based ftp client, the matter is simple.
> >> Port 21
> >> does the job!
> >>
> >> To achieve ftp via the likes of Firefox or via Windows with "My
> >> Comptuter/My
> >> Network Places", ports in the upper range must be opened.
> >>
> >> By gradually closing in the lower and upper port range limits on
> >> the firewall
> >> that protects the vsftp server, I established that at least two
> >> ports were
> >> being used between something like 51000 and 65000. At this stage, I
> >> got fed
> >> up. A study of the output from 'wireshark' might throw further
> >> light on this.
> >>
> >> I've not been able to discover any published information about
> >> which of the
> >> upper ports are used and whether these are always the same. So, at
> >> this stage
> >> I've decided to take the easy way out.
> >>
> >> As I mentioned in a previus message, Microsoft seem to have come a
> >> similar
> >> conclusion.
> >>
> >> Again, as I mentioned previously, only computers on my LAN can have
> >> direct
> >> access to the vsftp server and it's firewall, and it's only me who
> >> uses the
> >> LAN. Checks with "Shields Up" at www.grc.com confirm that my LAN
> >> cannot be
> >> seen from the Internet.
> >>
> >> Regards
> >>
> >> Ken hough
> >>
> >> On Wednesday 23 September 2009 13:35:06 Wayne Ward wrote:
> >>> This all seems odd can you not just setup a trusted ip from the box
> >>> that is not allowing the connections
> >>> because opening them ports just isnt right!!
> >>>
> >>> if the connection is say 192.168.1.1 -> all all from 192.168.1.1 ??
> >>> instead of just port 21 etc
> >>>
> >>> ive opened ftp on my firewalls before and never had this problem
> >>>
> >>>
> >>> can you send my a rough picture again so i can see whats going on !!
> >>> sorry ive been busy and missed this one !! lol
> >>>
> >>> On 23 Sep 2009, at 23/09/2009-10:49, Ken Hough wrote:
> >>>> Hi All!
> >>>>
> >>>> Further to my problem with having access to a vsftp server
> >>>> through a
> >>>> firewall,
> >>>> it seems that I'm not alone in deciding to open up all TCP ports in
> >>>> the range
> >>>> 49152 to 65535.
> >>>>
> >>>> See:<http://support.microsoft.com/kb/929851>
> >>>>
> >>>> but, then Microsoft are not known for always doing the right
> >>>> thing.  ;-)
> >>>>
> >>>> Ken Hough
> >>>>
> >>>> On Tuesday 22 September 2009 15:01:33 Ken Hough wrote:
> >>>>> On Tuesday 22 September 2009 12:53:47 Mike Livsey wrote:
> >>>>>> Does your firewall have application level monitoring?
> >>>>>
> >>>>> Not that I've discovered.
> >>>>>
> >>>>>> It may be that you need to specifically allow the application
> >>>>>> to be
> >>>>>> accessed, as well as opening the relevant ports.
> >>>>>
> >>>>> Actually I've solved the problem, sort of!
> >>>>>
> >>>>> After many trials, I've discovered that at least two ports are
> >>>>> being
> >>>>> accessed within the range 51000 to 65000.
> >>>>>
> >>>>> On checking with <http://www.iana.org/assignments/port-numbers>, I
> >>>>> see that
> >>>>> ports in the range 49152 to 65535 are defined as "DYNAMIC AND/OR
> >>>>> PRIVATE
> >>>>> PORTS".
> >>>>>
> >>>>> The vsftpd server is protected from the Internet by my Netgear
> >>>>> DG834GT
> >>>>> router, and I get a clean bill of health from "Shields Up" at
> >>>>> www.grc.com .
> >>>>> ie a report of "True Stealth Mode" for some of the open upper
> >>>>> range
> >>>>> ports.
> >>>>>
> >>>>> Also, I will only enabled vsftpd when I wish to upload/download
> >>>>> files to
> >>>>> another PC on my LAN.
> >>>>>
> >>>>> So, until I can find more definative info, I will simply open the
> >>>>> whole of
> >>>>> this upper port range.
> >>>>>
> >>>>> Thanks all for support and comments.
> >>>>>
> >>>>> Regards
> >>>>>
> >>>>> Ken hough
> >>>>>
> >>>>>> 2009/9/22 Ken Hough <kenhough at btinternet.com>
> >>>>>>
> >>>>>>> On Monday 21 September 2009 16:13:50 Richard Robinson wrote:
> >>>>>>>> On Mon, Sep 21, 2009 at 02:45:38PM +0100, andy baxter wrote:
> >>>>>>>>> Sorry I'm confused too. Did you try my suggestion of using
> >>>>>>>>> wireshark to look at what's happening over the network when
> >>>>>>>>> you
> >>>>>>>>> try
> >>>>>>>>> to connect?
> >>>>>>>>
> >>>>>>>> This is probably a stupid comment, I'm not a expert at this
> >>>>>>>> stuff & I
> >>>>>>>> haven't really been paying much attention ... but :- it's not a
> >>>>>>>> question
> >>>>>>>
> >>>>>>> of
> >>>>>>>
> >>>>>>>> packet type, is it ? Does the firewall select for TCP / UDP ?
> >>>>>>>
> >>>>>>> I've tried enabling UDP on the firewall, but this didn't help.
> >>>>>>>
> >>>>>>> Recent tests as follows:
> >>>>>>>
> >>>>>>> 1. Accessed vsftpd locally as ftp://localhost (with the firewall
> >>>>>>> enabled) without any problems. This confirms that vsftpd is
> >>>>>>> working as
> >>>>>>> I intended.
> >>>>>>>
> >>>>>>> 2. Accessing the vsftpd server remotely (with firewall enabled)
> >>>>>>> via my
> >>>>>>> laptop
> >>>>>>> running Firefox under winXP again failed. On dropping the
> >>>>>>> firewall on
> >>>>>>> the server machine, again all was well.
> >>>>>>>
> >>>>>>> Clearly:
> >>>>>>>
> >>>>>>> --  there is a problem with the firewall on the server machine.
> >>>>>>>
> >>>>>>> --  the setup on the laptop PC is working!
> >>>>>>>
> >>>>>>>
> >>>>>>> As Andy recommended, I installed 'wireshark' on the laptop
> >>>>>>> machine.
> >>>>>>> This runs
> >>>>>>> OK, but before commenting on what I found, I'd like to spend a
> >>>>>>> bit of
> >>>>>>> time figuring out all of what it told me.
> >>>>>>>
> >>>>>>> It does seem that with the firewall running, I get a connection,
> >>>>>>> but
> >>>>>>> this is
> >>>>>>> then dropped.
> >>>>>>>
> >>>>>>> Ho hum! Life is fun!  :-)
> >>>>>>>
> >>>>>>> Further investigation has shown that one or more TCP ports in
> >>>>>>> the
> >>>>>>> range
> >>>>>>> 50000
> >>>>>>> to 55000 is/are being accessed. ie if I enable this range, I get
> >>>>>>> full
> >>>>>>> access.
> >>>>>>>
> >>>>>>> A bit more experimentation should allow me to home in of the
> >>>>>>> ports
> >>>>>>> needed.  :-)
> >>>>>>>
> >>>>>>> Ken Hough
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> Lancaster mailing list
> >>>>>>> Lancaster at mailman.lug.org.uk
> >>>>>>> https://mailman.lug.org.uk/mailman/listinfo/lancaster
> >>>>>
> >>>>> _______________________________________________
> >>>>> Lancaster mailing list
> >>>>> Lancaster at mailman.lug.org.uk
> >>>>> https://mailman.lug.org.uk/mailman/listinfo/lancaster
> >>>>
> >>>> _______________________________________________
> >>>> Lancaster mailing list
> >>>> Lancaster at mailman.lug.org.uk
> >>>> https://mailman.lug.org.uk/mailman/listinfo/lancaster
> >>>
> >>> Regards,
> >>> Wayne Ward
> >>>
> >>> 07957448652
> >>>
> >>> Lancaster Computers
> >>>
> >>> www.lancastercomputers.co.uk
> >>> wayne at lancastercomputers.co.uk
> >>>
> >>> Computers - Laptops - Servers - Web Services
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Wayne
> >>> Regards,
> >>> Wayne Ward
> >>>
> >>> 07957448652
> >>>
> >>> Lancaster Computers
> >>>
> >>> www.lancastercomputers.co.uk
> >>> wayne at lancastercomputers.co.uk
> >>>
> >>> Computers - Laptops - Servers - Web Services
> >>
> >> _______________________________________________
> >> Lancaster mailing list
> >> Lancaster at mailman.lug.org.uk
> >> https://mailman.lug.org.uk/mailman/listinfo/lancaster
> >
> > Regards,
> > Wayne Ward
> >
> > 07957448652
> >
> > Lancaster Computers
> >
> > www.lancastercomputers.co.uk
> > wayne at lancastercomputers.co.uk
> >
> > Computers - Laptops - Servers - Web Services
>
> Regards,
> Wayne Ward
>
> 07957448652
>
> Lancaster Computers
>
> www.lancastercomputers.co.uk
> wayne at lancastercomputers.co.uk
>
> Computers - Laptops - Servers - Web Services
>
>
>
>
>
>
>
>
> _______________________________________________
> Lancaster mailing list
> Lancaster at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/lancaster





More information about the Lancaster mailing list