[Lancaster] Fwd: firewall

andy baxter andy at earthsong.free-online.co.uk
Fri Sep 25 05:59:04 UTC 2009 

Having read the page you posted, it may not even be as simple as that - 
if there is a firewall running on the windows box then the active 
connection from the server to the windows box might be blocked. It 
sounds like the best answer is either:

- to configure vsftp to use a specific smaller number of ports for 
passive connections (maybe 5 ports > 1023 ?) and open only those ports 
in the firewall, rather than the whole range ken was talking about. Then 
passive connections should work ok.
- or else to use a different protocol. If he only needs to be able to 
download data, http using apache would be simpler, or otherwise he could 
use samba (or sftp with a suitable client on the windows box).

andy

Wayne Ward wrote:
>> Sounds like you just need to use active ftp on the client just so  
>> port 21 is open.
>>
>> read here this explains
>>
>> http://slacksite.com/other/ftp.html
>>
>> Wayne
>> On 23 Sep 2009, at 23/09/2009-15:35, Ken Hough wrote:
>>
>>     
>>> Hi Wayne!
>>>
>>> I agree that it's not good to have all of those ports open, but  
>>> until I can
>>> establish just which of these upper ports are needed, and for what
>>> applications, I'm taking the easy way out.
>>>
>>> To recap:
>>>
>>> If I use a simple ternimal based ftp client, the matter is simple.  
>>> Port 21
>>> does the job!
>>>
>>> To achieve ftp via the likes of Firefox or via Windows with "My  
>>> Comptuter/My
>>> Network Places", ports in the upper range must be opened.
>>>
>>> By gradually closing in the lower and upper port range limits on  
>>> the firewall
>>> that protects the vsftp server, I established that at least two  
>>> ports were
>>> being used between something like 51000 and 65000. At this stage, I  
>>> got fed
>>> up. A study of the output from 'wireshark' might throw further  
>>> light on this.
>>>
>>> I've not been able to discover any published information about  
>>> which of the
>>> upper ports are used and whether these are always the same. So, at  
>>> this stage
>>> I've decided to take the easy way out.
>>>
>>> As I mentioned in a previus message, Microsoft seem to have come a  
>>> similar
>>> conclusion.
>>>
>>> Again, as I mentioned previously, only computers on my LAN can have  
>>> direct
>>> access to the vsftp server and it's firewall, and it's only me who  
>>> uses the
>>> LAN. Checks with "Shields Up" at www.grc.com confirm that my LAN  
>>> cannot be
>>> seen from the Internet.
>>>
>>> Regards
>>>
>>> Ken hough
>>>
>>> On Wednesday 23 September 2009 13:35:06 Wayne Ward wrote:
>>>       
>>>> This all seems odd can you not just setup a trusted ip from the box
>>>> that is not allowing the connections
>>>> because opening them ports just isnt right!!
>>>>
>>>> if the connection is say 192.168.1.1 -> all all from 192.168.1.1 ??
>>>> instead of just port 21 etc
>>>>
>>>> ive opened ftp on my firewalls before and never had this problem
>>>>
>>>>
>>>> can you send my a rough picture again so i can see whats going on !!
>>>> sorry ive been busy and missed this one !! lol
>>>>
>>>> On 23 Sep 2009, at 23/09/2009-10:49, Ken Hough wrote:
>>>>         
>>>>> Hi All!
>>>>>
>>>>> Further to my problem with having access to a vsftp server  
>>>>> through a
>>>>> firewall,
>>>>> it seems that I'm not alone in deciding to open up all TCP ports in
>>>>> the range
>>>>> 49152 to 65535.
>>>>>
>>>>> See:<http://support.microsoft.com/kb/929851>
>>>>>
>>>>> but, then Microsoft are not known for always doing the right
>>>>> thing.  ;-)
>>>>>
>>>>> Ken Hough
>>>>>
>>>>> On Tuesday 22 September 2009 15:01:33 Ken Hough wrote:
>>>>>           
>>>>>> On Tuesday 22 September 2009 12:53:47 Mike Livsey wrote:
>>>>>>             
>>>>>>> Does your firewall have application level monitoring?
>>>>>>>               
>>>>>> Not that I've discovered.
>>>>>>
>>>>>>             
>>>>>>> It may be that you need to specifically allow the application  
>>>>>>> to be
>>>>>>> accessed, as well as opening the relevant ports.
>>>>>>>               
>>>>>> Actually I've solved the problem, sort of!
>>>>>>
>>>>>> After many trials, I've discovered that at least two ports are  
>>>>>> being
>>>>>> accessed within the range 51000 to 65000.
>>>>>>
>>>>>> On checking with <http://www.iana.org/assignments/port-numbers>, I
>>>>>> see that
>>>>>> ports in the range 49152 to 65535 are defined as "DYNAMIC AND/OR
>>>>>> PRIVATE
>>>>>> PORTS".
>>>>>>
>>>>>> The vsftpd server is protected from the Internet by my Netgear
>>>>>> DG834GT
>>>>>> router, and I get a clean bill of health from "Shields Up" at
>>>>>> www.grc.com .
>>>>>> ie a report of "True Stealth Mode" for some of the open upper  
>>>>>> range
>>>>>> ports.
>>>>>>
>>>>>> Also, I will only enabled vsftpd when I wish to upload/download
>>>>>> files to
>>>>>> another PC on my LAN.
>>>>>>
>>>>>> So, until I can find more definative info, I will simply open the
>>>>>> whole of
>>>>>> this upper port range.
>>>>>>
>>>>>> Thanks all for support and comments.
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Ken hough
>>>>>>
>>>>>>             
>>>>>>> 2009/9/22 Ken Hough <kenhough at btinternet.com>
>>>>>>>
>>>>>>>               
>>>>>>>> On Monday 21 September 2009 16:13:50 Richard Robinson wrote:
>>>>>>>>                 
>>>>>>>>> On Mon, Sep 21, 2009 at 02:45:38PM +0100, andy baxter wrote:
>>>>>>>>>                   
>>>>>>>>>> Sorry I'm confused too. Did you try my suggestion of using
>>>>>>>>>> wireshark to look at what's happening over the network when  
>>>>>>>>>> you
>>>>>>>>>> try
>>>>>>>>>> to connect?
>>>>>>>>>>                     
>>>>>>>>> This is probably a stupid comment, I'm not a expert at this
>>>>>>>>> stuff & I
>>>>>>>>> haven't really been paying much attention ... but :- it's not a
>>>>>>>>> question
>>>>>>>>>                   
>>>>>>>> of
>>>>>>>>
>>>>>>>>                 
>>>>>>>>> packet type, is it ? Does the firewall select for TCP / UDP ?
>>>>>>>>>                   
>>>>>>>> I've tried enabling UDP on the firewall, but this didn't help.
>>>>>>>>
>>>>>>>> Recent tests as follows:
>>>>>>>>
>>>>>>>> 1. Accessed vsftpd locally as ftp://localhost (with the firewall
>>>>>>>> enabled) without any problems. This confirms that vsftpd is
>>>>>>>> working as
>>>>>>>> I intended.
>>>>>>>>
>>>>>>>> 2. Accessing the vsftpd server remotely (with firewall enabled)
>>>>>>>> via my
>>>>>>>> laptop
>>>>>>>> running Firefox under winXP again failed. On dropping the
>>>>>>>> firewall on
>>>>>>>> the server machine, again all was well.
>>>>>>>>
>>>>>>>> Clearly:
>>>>>>>>
>>>>>>>> --  there is a problem with the firewall on the server machine.
>>>>>>>>
>>>>>>>> --  the setup on the laptop PC is working!
>>>>>>>>
>>>>>>>>
>>>>>>>> As Andy recommended, I installed 'wireshark' on the laptop  
>>>>>>>> machine.
>>>>>>>> This runs
>>>>>>>> OK, but before commenting on what I found, I'd like to spend a
>>>>>>>> bit of
>>>>>>>> time figuring out all of what it told me.
>>>>>>>>
>>>>>>>> It does seem that with the firewall running, I get a connection,
>>>>>>>> but
>>>>>>>> this is
>>>>>>>> then dropped.
>>>>>>>>
>>>>>>>> Ho hum! Life is fun!  :-)
>>>>>>>>
>>>>>>>> Further investigation has shown that one or more TCP ports in  
>>>>>>>> the
>>>>>>>> range
>>>>>>>> 50000
>>>>>>>> to 55000 is/are being accessed. ie if I enable this range, I get
>>>>>>>> full
>>>>>>>> access.
>>>>>>>>
>>>>>>>> A bit more experimentation should allow me to home in of the  
>>>>>>>> ports
>>>>>>>> needed.  :-)
>>>>>>>>
>>>>>>>> Ken Hough
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Lancaster mailing list
>>>>>>>> Lancaster at mailman.lug.org.uk
>>>>>>>> https://mailman.lug.org.uk/mailman/listinfo/lancaster
>>>>>>>>                 
>>>>>> _______________________________________________
>>>>>> Lancaster mailing list
>>>>>> Lancaster at mailman.lug.org.uk
>>>>>> https://mailman.lug.org.uk/mailman/listinfo/lancaster
>>>>>>             
>>>>> _______________________________________________
>>>>> Lancaster mailing list
>>>>> Lancaster at mailman.lug.org.uk
>>>>> https://mailman.lug.org.uk/mailman/listinfo/lancaster
>>>>>           
>>>> Regards,
>>>> Wayne Ward
>>>>
>>>> 07957448652
>>>>
>>>> Lancaster Computers
>>>>
>>>> www.lancastercomputers.co.uk
>>>> wayne at lancastercomputers.co.uk
>>>>
>>>> Computers - Laptops - Servers - Web Services
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Wayne
>>>> Regards,
>>>> Wayne Ward
>>>>
>>>> 07957448652
>>>>
>>>> Lancaster Computers
>>>>
>>>> www.lancastercomputers.co.uk
>>>> wayne at lancastercomputers.co.uk
>>>>
>>>> Computers - Laptops - Servers - Web Services
>>>>         
>>>
>>> _______________________________________________
>>> Lancaster mailing list
>>> Lancaster at mailman.lug.org.uk
>>> https://mailman.lug.org.uk/mailman/listinfo/lancaster
>>>       
>> Regards,
>> Wayne Ward
>>
>> 07957448652
>>
>> Lancaster Computers
>>
>> www.lancastercomputers.co.uk
>> wayne at lancastercomputers.co.uk
>>
>> Computers - Laptops - Servers - Web Services
>>
>>
>>
>>
>>
>>
>>
>>     
>
> Regards,
> Wayne Ward
>
> 07957448652
>
> Lancaster Computers
>
> www.lancastercomputers.co.uk
> wayne at lancastercomputers.co.uk
>
> Computers - Laptops - Servers - Web Services
>
>
>
>
>
>
>
>
> _______________________________________________
> Lancaster mailing list
> Lancaster at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/lancaster
>
>

More information about the Lancaster mailing list