Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
It uses the vsftpd server and the builtin fedora core firewall which is set to allow incoming FTP.
When I try to connect to the server long is successful, but on trying to obtain a directory listing, the client declares that there is not route to the host.
I know that the issue is due to how passive mode works, but I would like to be able to use passive mode, and I am wondering if there is any way of doing such short of opening up all ports under 1023.
You meant "above" 1024, no?
Passive mode uses a non-privileged port (>1023) and a privileged one (20) instead of using 2 privileged ports (typically 20 and 21) as in active mode.
So, passive mode uses 1 port <1023 and 1 port >1023.
If you look at the pasv_min_port and pasv_max_port configuration parameters for vsftpd, you'll see that you
can limit the port numbers (>1023, used in passive mode) to a certain range.
By doing so, you can then limit your open ports to the same range, instead of having to open all ports > 1023.
ie: select a range of let's say 100 consecutive port numbers. In my example, I'll use 4000 - 4100. You may need to choose different port numbers, if you're already using some of those ports (use nmap to check).
So, pasv_min_port is set to 4000, pasv_max_port to 4100. In your firewall, opening ports 4000-4100 for ftp commands will then suffice.
Well, you could, but I recommend that you keep open a few more than just 5.
There are other (read: better) ways for you to limit the number of simultaneous connections and load.
The pasv connection port is decided only when the FTP client is already logged in, if I'm not mistaken.
When clients login, they need to give the PASV command to the server before passive mode is considered.
So, limiting the number of PASV ports will not disallow clients to connect to your FTP server, it will just not allow them to use passive mode. Hence, limiting the number of ports may not be such a good idea.
On the other hand, from security perspective, the less open ports you have, the better.
So, in short, it'll probably be a trade-off between security and passive mode performance.
Here's an article I re-read every now and then. http://www.linuxjournal.com/article/7520 I think you're worrying too much about 'ports.' Just set vsftpd up correctly, and then open port 21 for incoming ... and you should be set.
I don't know what Fedora's default firewall manager is these days, but back when I used it, Lokkit sucked. You might try Firestarter or Guarddog, so you have an easy way to see what transactions are being blocked.
Hmmm, I would have to forward all these ports through my router again as well.
Odd, as far as I can remember, last time I did this I simply set checked "ftp" in the firewall exceptions and it worked just fine! It does this time, but only when I set my FTP client to not use passive mode. I think passive would probably be useful being that a few FTP clients out there don't work without it.
Maybe I will just get the couple of people that shall use the server to find FTP clients where one can set it to active!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.