[Lancaster] firewall
Ken Hough
kenhough at btinternet.com
Mon Sep 28 17:00:24 UTC 2009
Hi Wayne,
In the past I have played with other ftp servers on different machines and
distros and I recall having similar problems. ie everything works via a
terminal based ftp client, but not when trying to acess via a browser.
Prevously, I just muttered some obscenity and left it, but now would like to
use it and to understand what's going on.
I agree, there's not a lot in the default vsftpd config file -- so hopefully
not much to go wrong.
At this time, I don't really want to start playing around with various ftp
servers. After all, vsftp is well respected.
What is absolutely clear here is that when accessing vsftp via a browser or
via "My Computer/My Network Places", at least two ports are being accessed in
the upper range. I haven't set this up. It's just happening and the effects
are similar to what I've seen in the past on other setups.
Are you accessing vsftpd via browsers, etc? Does this work without using any
of the upper ports? Are you sure that your firewall is not allowing access to
the upper ports? Sorry to ask such daft questions, but something somewhere
isn't working as expected.
Please can you let me see the contents of your vsftpd.conf file.
Regards
Ken Hough
On Monday 28 September 2009 16:14:50 Wayne Ward wrote:
> sounds silly but have you tried another FTP server?
> i use to use vsftpd and it was pretty cut down ftp server with not a
> lot in the config file..
> how about trying wu-ftpd....
> its worth ago!
>
> Wayne
>
> On 23 Sep 2009, at 23/09/2009-15:35, Ken Hough wrote:
> > Hi Wayne!
> >
> > I agree that it's not good to have all of those ports open, but
> > until I can
> > establish just which of these upper ports are needed, and for what
> > applications, I'm taking the easy way out.
> >
> > To recap:
> >
> > If I use a simple ternimal based ftp client, the matter is simple.
> > Port 21
> > does the job!
> >
> > To achieve ftp via the likes of Firefox or via Windows with "My
> > Comptuter/My
> > Network Places", ports in the upper range must be opened.
> >
> > By gradually closing in the lower and upper port range limits on the
> > firewall
> > that protects the vsftp server, I established that at least two
> > ports were
> > being used between something like 51000 and 65000. At this stage, I
> > got fed
> > up. A study of the output from 'wireshark' might throw further light
> > on this.
> >
> > I've not been able to discover any published information about which
> > of the
> > upper ports are used and whether these are always the same. So, at
> > this stage
> > I've decided to take the easy way out.
> >
> > As I mentioned in a previus message, Microsoft seem to have come a
> > similar
> > conclusion.
> >
> > Again, as I mentioned previously, only computers on my LAN can have
> > direct
> > access to the vsftp server and it's firewall, and it's only me who
> > uses the
> > LAN. Checks with "Shields Up" at www.grc.com confirm that my LAN
> > cannot be
> > seen from the Internet.
> >
> > Regards
> >
> > Ken hough
> >
> > On Wednesday 23 September 2009 13:35:06 Wayne Ward wrote:
> >> This all seems odd can you not just setup a trusted ip from the box
> >> that is not allowing the connections
> >> because opening them ports just isnt right!!
> >>
> >> if the connection is say 192.168.1.1 -> all all from 192.168.1.1 ??
> >> instead of just port 21 etc
> >>
> >> ive opened ftp on my firewalls before and never had this problem
> >>
> >>
> >> can you send my a rough picture again so i can see whats going on !!
> >> sorry ive been busy and missed this one !! lol
> >>
> >> On 23 Sep 2009, at 23/09/2009-10:49, Ken Hough wrote:
> >>> Hi All!
> >>>
> >>> Further to my problem with having access to a vsftp server through a
> >>> firewall,
> >>> it seems that I'm not alone in deciding to open up all TCP ports in
> >>> the range
> >>> 49152 to 65535.
> >>>
> >>> See:<http://support.microsoft.com/kb/929851>
> >>>
> >>> but, then Microsoft are not known for always doing the right
> >>> thing. ;-)
> >>>
> >>> Ken Hough
> >>>
> >>> On Tuesday 22 September 2009 15:01:33 Ken Hough wrote:
> >>>> On Tuesday 22 September 2009 12:53:47 Mike Livsey wrote:
> >>>>> Does your firewall have application level monitoring?
> >>>>
> >>>> Not that I've discovered.
> >>>>
> >>>>> It may be that you need to specifically allow the application to
> >>>>> be
> >>>>> accessed, as well as opening the relevant ports.
> >>>>
> >>>> Actually I've solved the problem, sort of!
> >>>>
> >>>> After many trials, I've discovered that at least two ports are
> >>>> being
> >>>> accessed within the range 51000 to 65000.
> >>>>
> >>>> On checking with <http://www.iana.org/assignments/port-numbers>, I
> >>>> see that
> >>>> ports in the range 49152 to 65535 are defined as "DYNAMIC AND/OR
> >>>> PRIVATE
> >>>> PORTS".
> >>>>
> >>>> The vsftpd server is protected from the Internet by my Netgear
> >>>> DG834GT
> >>>> router, and I get a clean bill of health from "Shields Up" at
> >>>> www.grc.com .
> >>>> ie a report of "True Stealth Mode" for some of the open upper range
> >>>> ports.
> >>>>
> >>>> Also, I will only enabled vsftpd when I wish to upload/download
> >>>> files to
> >>>> another PC on my LAN.
> >>>>
> >>>> So, until I can find more definative info, I will simply open the
> >>>> whole of
> >>>> this upper port range.
> >>>>
> >>>> Thanks all for support and comments.
> >>>>
> >>>> Regards
> >>>>
> >>>> Ken hough
> >>>>
> >>>>> 2009/9/22 Ken Hough <kenhough at btinternet.com>
> >>>>>
> >>>>>> On Monday 21 September 2009 16:13:50 Richard Robinson wrote:
> >>>>>>> On Mon, Sep 21, 2009 at 02:45:38PM +0100, andy baxter wrote:
> >>>>>>>> Sorry I'm confused too. Did you try my suggestion of using
> >>>>>>>> wireshark to look at what's happening over the network when you
> >>>>>>>> try
> >>>>>>>> to connect?
> >>>>>>>
> >>>>>>> This is probably a stupid comment, I'm not a expert at this
> >>>>>>> stuff & I
> >>>>>>> haven't really been paying much attention ... but :- it's not a
> >>>>>>> question
> >>>>>>
> >>>>>> of
> >>>>>>
> >>>>>>> packet type, is it ? Does the firewall select for TCP / UDP ?
> >>>>>>
> >>>>>> I've tried enabling UDP on the firewall, but this didn't help.
> >>>>>>
> >>>>>> Recent tests as follows:
> >>>>>>
> >>>>>> 1. Accessed vsftpd locally as ftp://localhost (with the firewall
> >>>>>> enabled) without any problems. This confirms that vsftpd is
> >>>>>> working as
> >>>>>> I intended.
> >>>>>>
> >>>>>> 2. Accessing the vsftpd server remotely (with firewall enabled)
> >>>>>> via my
> >>>>>> laptop
> >>>>>> running Firefox under winXP again failed. On dropping the
> >>>>>> firewall on
> >>>>>> the server machine, again all was well.
> >>>>>>
> >>>>>> Clearly:
> >>>>>>
> >>>>>> -- there is a problem with the firewall on the server machine.
> >>>>>>
> >>>>>> -- the setup on the laptop PC is working!
> >>>>>>
> >>>>>>
> >>>>>> As Andy recommended, I installed 'wireshark' on the laptop
> >>>>>> machine.
> >>>>>> This runs
> >>>>>> OK, but before commenting on what I found, I'd like to spend a
> >>>>>> bit of
> >>>>>> time figuring out all of what it told me.
> >>>>>>
> >>>>>> It does seem that with the firewall running, I get a connection,
> >>>>>> but
> >>>>>> this is
> >>>>>> then dropped.
> >>>>>>
> >>>>>> Ho hum! Life is fun! :-)
> >>>>>>
> >>>>>> Further investigation has shown that one or more TCP ports in the
> >>>>>> range
> >>>>>> 50000
> >>>>>> to 55000 is/are being accessed. ie if I enable this range, I get
> >>>>>> full
> >>>>>> access.
> >>>>>>
> >>>>>> A bit more experimentation should allow me to home in of the
> >>>>>> ports
> >>>>>> needed. :-)
> >>>>>>
> >>>>>> Ken Hough
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Lancaster mailing list
> >>>>>> Lancaster at mailman.lug.org.uk
> >>>>>> https://mailman.lug.org.uk/mailman/listinfo/lancaster
> >>>>
> >>>> _______________________________________________
> >>>> Lancaster mailing list
> >>>> Lancaster at mailman.lug.org.uk
> >>>> https://mailman.lug.org.uk/mailman/listinfo/lancaster
> >>>
> >>> _______________________________________________
> >>> Lancaster mailing list
> >>> Lancaster at mailman.lug.org.uk
> >>> https://mailman.lug.org.uk/mailman/listinfo/lancaster
> >>
> >> Regards,
> >> Wayne Ward
> >>
> >> 07957448652
> >>
> >> Lancaster Computers
> >>
> >> www.lancastercomputers.co.uk
> >> wayne at lancastercomputers.co.uk
> >>
> >> Computers - Laptops - Servers - Web Services
> >>
> >>
> >>
> >>
> >>
> >>
> >> Wayne
> >> Regards,
> >> Wayne Ward
> >>
> >> 07957448652
> >>
> >> Lancaster Computers
> >>
> >> www.lancastercomputers.co.uk
> >> wayne at lancastercomputers.co.uk
> >>
> >> Computers - Laptops - Servers - Web Services
> >
> > _______________________________________________
> > Lancaster mailing list
> > Lancaster at mailman.lug.org.uk
> > https://mailman.lug.org.uk/mailman/listinfo/lancaster
>
> Regards,
> Wayne Ward
>
> 07957448652
>
> Lancaster Computers
>
> www.lancastercomputers.co.uk
> wayne at lancastercomputers.co.uk
>
> Computers - Laptops - Servers - Web Services
>
>
>
>
>
>
>
>
> _______________________________________________
> Lancaster mailing list
> Lancaster at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/lancaster
More information about the Lancaster
mailing list