[Lancaster] firewall

Wayne Ward wayne at lancastercomputers.co.uk
Mon Sep 28 15:14:59 UTC 2009


sounds silly but have you tried another FTP server?
i use to use vsftpd and it was pretty cut down ftp server with not a  
lot in the config file..
how about trying wu-ftpd....
its worth ago!

Wayne
On 23 Sep 2009, at 23/09/2009-15:35, Ken Hough wrote:

> Hi Wayne!
>
> I agree that it's not good to have all of those ports open, but  
> until I can
> establish just which of these upper ports are needed, and for what
> applications, I'm taking the easy way out.
>
> To recap:
>
> If I use a simple ternimal based ftp client, the matter is simple.  
> Port 21
> does the job!
>
> To achieve ftp via the likes of Firefox or via Windows with "My  
> Comptuter/My
> Network Places", ports in the upper range must be opened.
>
> By gradually closing in the lower and upper port range limits on the  
> firewall
> that protects the vsftp server, I established that at least two  
> ports were
> being used between something like 51000 and 65000. At this stage, I  
> got fed
> up. A study of the output from 'wireshark' might throw further light  
> on this.
>
> I've not been able to discover any published information about which  
> of the
> upper ports are used and whether these are always the same. So, at  
> this stage
> I've decided to take the easy way out.
>
> As I mentioned in a previus message, Microsoft seem to have come a  
> similar
> conclusion.
>
> Again, as I mentioned previously, only computers on my LAN can have  
> direct
> access to the vsftp server and it's firewall, and it's only me who  
> uses the
> LAN. Checks with "Shields Up" at www.grc.com confirm that my LAN  
> cannot be
> seen from the Internet.
>
> Regards
>
> Ken hough
>
> On Wednesday 23 September 2009 13:35:06 Wayne Ward wrote:
>> This all seems odd can you not just setup a trusted ip from the box
>> that is not allowing the connections
>> because opening them ports just isnt right!!
>>
>> if the connection is say 192.168.1.1 -> all all from 192.168.1.1 ??
>> instead of just port 21 etc
>>
>> ive opened ftp on my firewalls before and never had this problem
>>
>>
>> can you send my a rough picture again so i can see whats going on !!
>> sorry ive been busy and missed this one !! lol
>>
>> On 23 Sep 2009, at 23/09/2009-10:49, Ken Hough wrote:
>>> Hi All!
>>>
>>> Further to my problem with having access to a vsftp server through a
>>> firewall,
>>> it seems that I'm not alone in deciding to open up all TCP ports in
>>> the range
>>> 49152 to 65535.
>>>
>>> See:<http://support.microsoft.com/kb/929851>
>>>
>>> but, then Microsoft are not known for always doing the right
>>> thing.  ;-)
>>>
>>> Ken Hough
>>>
>>> On Tuesday 22 September 2009 15:01:33 Ken Hough wrote:
>>>> On Tuesday 22 September 2009 12:53:47 Mike Livsey wrote:
>>>>> Does your firewall have application level monitoring?
>>>>
>>>> Not that I've discovered.
>>>>
>>>>> It may be that you need to specifically allow the application to  
>>>>> be
>>>>> accessed, as well as opening the relevant ports.
>>>>
>>>> Actually I've solved the problem, sort of!
>>>>
>>>> After many trials, I've discovered that at least two ports are  
>>>> being
>>>> accessed within the range 51000 to 65000.
>>>>
>>>> On checking with <http://www.iana.org/assignments/port-numbers>, I
>>>> see that
>>>> ports in the range 49152 to 65535 are defined as "DYNAMIC AND/OR
>>>> PRIVATE
>>>> PORTS".
>>>>
>>>> The vsftpd server is protected from the Internet by my Netgear
>>>> DG834GT
>>>> router, and I get a clean bill of health from "Shields Up" at
>>>> www.grc.com .
>>>> ie a report of "True Stealth Mode" for some of the open upper range
>>>> ports.
>>>>
>>>> Also, I will only enabled vsftpd when I wish to upload/download
>>>> files to
>>>> another PC on my LAN.
>>>>
>>>> So, until I can find more definative info, I will simply open the
>>>> whole of
>>>> this upper port range.
>>>>
>>>> Thanks all for support and comments.
>>>>
>>>> Regards
>>>>
>>>> Ken hough
>>>>
>>>>> 2009/9/22 Ken Hough <kenhough at btinternet.com>
>>>>>
>>>>>> On Monday 21 September 2009 16:13:50 Richard Robinson wrote:
>>>>>>> On Mon, Sep 21, 2009 at 02:45:38PM +0100, andy baxter wrote:
>>>>>>>> Sorry I'm confused too. Did you try my suggestion of using
>>>>>>>> wireshark to look at what's happening over the network when you
>>>>>>>> try
>>>>>>>> to connect?
>>>>>>>
>>>>>>> This is probably a stupid comment, I'm not a expert at this
>>>>>>> stuff & I
>>>>>>> haven't really been paying much attention ... but :- it's not a
>>>>>>> question
>>>>>>
>>>>>> of
>>>>>>
>>>>>>> packet type, is it ? Does the firewall select for TCP / UDP ?
>>>>>>
>>>>>> I've tried enabling UDP on the firewall, but this didn't help.
>>>>>>
>>>>>> Recent tests as follows:
>>>>>>
>>>>>> 1. Accessed vsftpd locally as ftp://localhost (with the firewall
>>>>>> enabled) without any problems. This confirms that vsftpd is
>>>>>> working as
>>>>>> I intended.
>>>>>>
>>>>>> 2. Accessing the vsftpd server remotely (with firewall enabled)
>>>>>> via my
>>>>>> laptop
>>>>>> running Firefox under winXP again failed. On dropping the
>>>>>> firewall on
>>>>>> the server machine, again all was well.
>>>>>>
>>>>>> Clearly:
>>>>>>
>>>>>> --  there is a problem with the firewall on the server machine.
>>>>>>
>>>>>> --  the setup on the laptop PC is working!
>>>>>>
>>>>>>
>>>>>> As Andy recommended, I installed 'wireshark' on the laptop  
>>>>>> machine.
>>>>>> This runs
>>>>>> OK, but before commenting on what I found, I'd like to spend a
>>>>>> bit of
>>>>>> time figuring out all of what it told me.
>>>>>>
>>>>>> It does seem that with the firewall running, I get a connection,
>>>>>> but
>>>>>> this is
>>>>>> then dropped.
>>>>>>
>>>>>> Ho hum! Life is fun!  :-)
>>>>>>
>>>>>> Further investigation has shown that one or more TCP ports in the
>>>>>> range
>>>>>> 50000
>>>>>> to 55000 is/are being accessed. ie if I enable this range, I get
>>>>>> full
>>>>>> access.
>>>>>>
>>>>>> A bit more experimentation should allow me to home in of the  
>>>>>> ports
>>>>>> needed.  :-)
>>>>>>
>>>>>> Ken Hough
>>>>>>
>>>>>> _______________________________________________
>>>>>> Lancaster mailing list
>>>>>> Lancaster at mailman.lug.org.uk
>>>>>> https://mailman.lug.org.uk/mailman/listinfo/lancaster
>>>>
>>>> _______________________________________________
>>>> Lancaster mailing list
>>>> Lancaster at mailman.lug.org.uk
>>>> https://mailman.lug.org.uk/mailman/listinfo/lancaster
>>>
>>> _______________________________________________
>>> Lancaster mailing list
>>> Lancaster at mailman.lug.org.uk
>>> https://mailman.lug.org.uk/mailman/listinfo/lancaster
>>
>> Regards,
>> Wayne Ward
>>
>> 07957448652
>>
>> Lancaster Computers
>>
>> www.lancastercomputers.co.uk
>> wayne at lancastercomputers.co.uk
>>
>> Computers - Laptops - Servers - Web Services
>>
>>
>>
>>
>>
>>
>> Wayne
>> Regards,
>> Wayne Ward
>>
>> 07957448652
>>
>> Lancaster Computers
>>
>> www.lancastercomputers.co.uk
>> wayne at lancastercomputers.co.uk
>>
>> Computers - Laptops - Servers - Web Services
>
>
>
> _______________________________________________
> Lancaster mailing list
> Lancaster at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/lancaster

Regards,
Wayne Ward

07957448652

Lancaster Computers

www.lancastercomputers.co.uk
wayne at lancastercomputers.co.uk

Computers - Laptops - Servers - Web Services










More information about the Lancaster mailing list