[Lancaster] Fwd: firewall
Wayne Ward
wayne at lancastercomputers.co.uk
Fri Sep 25 04:31:00 UTC 2009
>
> Sounds like you just need to use active ftp on the client just so
> port 21 is open.
>
> read here this explains
>
> http://slacksite.com/other/ftp.html
>
> Wayne
> On 23 Sep 2009, at 23/09/2009-15:35, Ken Hough wrote:
>
>> Hi Wayne!
>>
>> I agree that it's not good to have all of those ports open, but
>> until I can
>> establish just which of these upper ports are needed, and for what
>> applications, I'm taking the easy way out.
>>
>> To recap:
>>
>> If I use a simple ternimal based ftp client, the matter is simple.
>> Port 21
>> does the job!
>>
>> To achieve ftp via the likes of Firefox or via Windows with "My
>> Comptuter/My
>> Network Places", ports in the upper range must be opened.
>>
>> By gradually closing in the lower and upper port range limits on
>> the firewall
>> that protects the vsftp server, I established that at least two
>> ports were
>> being used between something like 51000 and 65000. At this stage, I
>> got fed
>> up. A study of the output from 'wireshark' might throw further
>> light on this.
>>
>> I've not been able to discover any published information about
>> which of the
>> upper ports are used and whether these are always the same. So, at
>> this stage
>> I've decided to take the easy way out.
>>
>> As I mentioned in a previus message, Microsoft seem to have come a
>> similar
>> conclusion.
>>
>> Again, as I mentioned previously, only computers on my LAN can have
>> direct
>> access to the vsftp server and it's firewall, and it's only me who
>> uses the
>> LAN. Checks with "Shields Up" at www.grc.com confirm that my LAN
>> cannot be
>> seen from the Internet.
>>
>> Regards
>>
>> Ken hough
>>
>> On Wednesday 23 September 2009 13:35:06 Wayne Ward wrote:
>>> This all seems odd can you not just setup a trusted ip from the box
>>> that is not allowing the connections
>>> because opening them ports just isnt right!!
>>>
>>> if the connection is say 192.168.1.1 -> all all from 192.168.1.1 ??
>>> instead of just port 21 etc
>>>
>>> ive opened ftp on my firewalls before and never had this problem
>>>
>>>
>>> can you send my a rough picture again so i can see whats going on !!
>>> sorry ive been busy and missed this one !! lol
>>>
>>> On 23 Sep 2009, at 23/09/2009-10:49, Ken Hough wrote:
>>>> Hi All!
>>>>
>>>> Further to my problem with having access to a vsftp server
>>>> through a
>>>> firewall,
>>>> it seems that I'm not alone in deciding to open up all TCP ports in
>>>> the range
>>>> 49152 to 65535.
>>>>
>>>> See:<http://support.microsoft.com/kb/929851>
>>>>
>>>> but, then Microsoft are not known for always doing the right
>>>> thing. ;-)
>>>>
>>>> Ken Hough
>>>>
>>>> On Tuesday 22 September 2009 15:01:33 Ken Hough wrote:
>>>>> On Tuesday 22 September 2009 12:53:47 Mike Livsey wrote:
>>>>>> Does your firewall have application level monitoring?
>>>>>
>>>>> Not that I've discovered.
>>>>>
>>>>>> It may be that you need to specifically allow the application
>>>>>> to be
>>>>>> accessed, as well as opening the relevant ports.
>>>>>
>>>>> Actually I've solved the problem, sort of!
>>>>>
>>>>> After many trials, I've discovered that at least two ports are
>>>>> being
>>>>> accessed within the range 51000 to 65000.
>>>>>
>>>>> On checking with <http://www.iana.org/assignments/port-numbers>, I
>>>>> see that
>>>>> ports in the range 49152 to 65535 are defined as "DYNAMIC AND/OR
>>>>> PRIVATE
>>>>> PORTS".
>>>>>
>>>>> The vsftpd server is protected from the Internet by my Netgear
>>>>> DG834GT
>>>>> router, and I get a clean bill of health from "Shields Up" at
>>>>> www.grc.com .
>>>>> ie a report of "True Stealth Mode" for some of the open upper
>>>>> range
>>>>> ports.
>>>>>
>>>>> Also, I will only enabled vsftpd when I wish to upload/download
>>>>> files to
>>>>> another PC on my LAN.
>>>>>
>>>>> So, until I can find more definative info, I will simply open the
>>>>> whole of
>>>>> this upper port range.
>>>>>
>>>>> Thanks all for support and comments.
>>>>>
>>>>> Regards
>>>>>
>>>>> Ken hough
>>>>>
>>>>>> 2009/9/22 Ken Hough <kenhough at btinternet.com>
>>>>>>
>>>>>>> On Monday 21 September 2009 16:13:50 Richard Robinson wrote:
>>>>>>>> On Mon, Sep 21, 2009 at 02:45:38PM +0100, andy baxter wrote:
>>>>>>>>> Sorry I'm confused too. Did you try my suggestion of using
>>>>>>>>> wireshark to look at what's happening over the network when
>>>>>>>>> you
>>>>>>>>> try
>>>>>>>>> to connect?
>>>>>>>>
>>>>>>>> This is probably a stupid comment, I'm not a expert at this
>>>>>>>> stuff & I
>>>>>>>> haven't really been paying much attention ... but :- it's not a
>>>>>>>> question
>>>>>>>
>>>>>>> of
>>>>>>>
>>>>>>>> packet type, is it ? Does the firewall select for TCP / UDP ?
>>>>>>>
>>>>>>> I've tried enabling UDP on the firewall, but this didn't help.
>>>>>>>
>>>>>>> Recent tests as follows:
>>>>>>>
>>>>>>> 1. Accessed vsftpd locally as ftp://localhost (with the firewall
>>>>>>> enabled) without any problems. This confirms that vsftpd is
>>>>>>> working as
>>>>>>> I intended.
>>>>>>>
>>>>>>> 2. Accessing the vsftpd server remotely (with firewall enabled)
>>>>>>> via my
>>>>>>> laptop
>>>>>>> running Firefox under winXP again failed. On dropping the
>>>>>>> firewall on
>>>>>>> the server machine, again all was well.
>>>>>>>
>>>>>>> Clearly:
>>>>>>>
>>>>>>> -- there is a problem with the firewall on the server machine.
>>>>>>>
>>>>>>> -- the setup on the laptop PC is working!
>>>>>>>
>>>>>>>
>>>>>>> As Andy recommended, I installed 'wireshark' on the laptop
>>>>>>> machine.
>>>>>>> This runs
>>>>>>> OK, but before commenting on what I found, I'd like to spend a
>>>>>>> bit of
>>>>>>> time figuring out all of what it told me.
>>>>>>>
>>>>>>> It does seem that with the firewall running, I get a connection,
>>>>>>> but
>>>>>>> this is
>>>>>>> then dropped.
>>>>>>>
>>>>>>> Ho hum! Life is fun! :-)
>>>>>>>
>>>>>>> Further investigation has shown that one or more TCP ports in
>>>>>>> the
>>>>>>> range
>>>>>>> 50000
>>>>>>> to 55000 is/are being accessed. ie if I enable this range, I get
>>>>>>> full
>>>>>>> access.
>>>>>>>
>>>>>>> A bit more experimentation should allow me to home in of the
>>>>>>> ports
>>>>>>> needed. :-)
>>>>>>>
>>>>>>> Ken Hough
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Lancaster mailing list
>>>>>>> Lancaster at mailman.lug.org.uk
>>>>>>> https://mailman.lug.org.uk/mailman/listinfo/lancaster
>>>>>
>>>>> _______________________________________________
>>>>> Lancaster mailing list
>>>>> Lancaster at mailman.lug.org.uk
>>>>> https://mailman.lug.org.uk/mailman/listinfo/lancaster
>>>>
>>>> _______________________________________________
>>>> Lancaster mailing list
>>>> Lancaster at mailman.lug.org.uk
>>>> https://mailman.lug.org.uk/mailman/listinfo/lancaster
>>>
>>> Regards,
>>> Wayne Ward
>>>
>>> 07957448652
>>>
>>> Lancaster Computers
>>>
>>> www.lancastercomputers.co.uk
>>> wayne at lancastercomputers.co.uk
>>>
>>> Computers - Laptops - Servers - Web Services
>>>
>>>
>>>
>>>
>>>
>>>
>>> Wayne
>>> Regards,
>>> Wayne Ward
>>>
>>> 07957448652
>>>
>>> Lancaster Computers
>>>
>>> www.lancastercomputers.co.uk
>>> wayne at lancastercomputers.co.uk
>>>
>>> Computers - Laptops - Servers - Web Services
>>
>>
>>
>> _______________________________________________
>> Lancaster mailing list
>> Lancaster at mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/lancaster
>
> Regards,
> Wayne Ward
>
> 07957448652
>
> Lancaster Computers
>
> www.lancastercomputers.co.uk
> wayne at lancastercomputers.co.uk
>
> Computers - Laptops - Servers - Web Services
>
>
>
>
>
>
>
Regards,
Wayne Ward
07957448652
Lancaster Computers
www.lancastercomputers.co.uk
wayne at lancastercomputers.co.uk
Computers - Laptops - Servers - Web Services
More information about the Lancaster
mailing list