Hi

I have a server running Fedora Core 4


It uses the vsftpd server and the builtin fedora core firewall which is set to allow incoming FTP.

When I try to connect to the server long is successful, but on trying to obtain a directory listing, the client declares that there is not route to the host.

I know that the issue is due to how passive mode works, but I would like to be able to use passive mode, and I am wondering if there is any way of doing such short of opening up all ports under 1023.




Any ideas?

Thanks,

Tom

port 20 is for ftp-data

try that opening up that also

I haven't configure a firewall on a ftp server so I have not looked into this aspect

regards

You meant "above" 1024, no?
Passive mode uses a non-privileged port (>1023) and a privileged one (20) instead of using 2 privileged ports (typically 20 and 21) as in active mode.
So, passive mode uses 1 port <1023 and 1 port >1023.

If you look at the pasv_min_port and pasv_max_port configuration parameters for vsftpd, you'll see that you
can limit the port numbers (>1023, used in passive mode) to a certain range.
By doing so, you can then limit your open ports to the same range, instead of having to open all ports > 1023.

ie: select a range of let's say 100 consecutive port numbers. In my example, I'll use 4000 - 4100. You may need to choose different port numbers, if you're already using some of those ports (use nmap to check).
So, pasv_min_port is set to 4000, pasv_max_port to 4100. In your firewall, opening ports 4000-4100 for ftp commands will then suffice.

Tim, thanks, that has cleared it up a great deal


I only intend to have about a max of 5 or so connections at once, should I only open enough ports for my intended usage (ie open 5)?


Thanks,

Tom

Well, you could, but I recommend that you keep open a few more than just 5.
There are other (read: better) ways for you to limit the number of simultaneous connections and load.

The pasv connection port is decided only when the FTP client is already logged in, if I'm not mistaken.
When clients login, they need to give the PASV command to the server before passive mode is considered.
So, limiting the number of PASV ports will not disallow clients to connect to your FTP server, it will just not allow them to use passive mode. Hence, limiting the number of ports may not be such a good idea.
On the other hand, from security perspective, the less open ports you have, the better.

So, in short, it'll probably be a trade-off between security and passive mode performance.

Here's an article I re-read every now and then. http://www.linuxjournal.com/article/7520 I think you're worrying too much about 'ports.' Just set vsftpd up correctly, and then open port 21 for incoming ... and you should be set.

I don't know what Fedora's default firewall manager is these days, but back when I used it, Lokkit sucked. You might try Firestarter or Guarddog, so you have an easy way to see what transactions are being blocked.

Hmmm, I would have to forward all these ports through my router again as well.

Odd, as far as I can remember, last time I did this I simply set checked "ftp" in the firewall exceptions and it worked just fine! It does this time, but only when I set my FTP client to not use passive mode. I think passive would probably be useful being that a few FTP clients out there don't work without it.

Maybe I will just get the couple of people that shall use the server to find FTP clients where one can set it to active!


Thanks,

Tom