Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm using proftpd and i set in proftpd.conf as passive ports 65520-65535 15 ports.i could set iptables to just accept connections on those 15 ports , but i wouldn't open a hole of 15 ports on the firewall .My question is :can i consider those 15 ports in a state of ESTABLISHED,RELATED or are they in a state of NEW ?Or what would you advice to do ???Thanks !!!!
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Quote:
Originally Posted by gabsik
My question is :can i consider those 15 ports in a state of ESTABLISHED,RELATED or are they in a state of NEW ?Or what would you advice to do ???Thanks !!!!
No, not unless there's a module for iptables that can inspect FTP traffic at layer7 and decode PORT/PASV commands to determine which data channels are related to which command channels.
Also, you need a much bigger port range than 15 ports. Most FTP daemons will bind to a new socket for each data transmission, so a single FTP login can easily use multiple ports for passive connections if the client is doing lots of directory listings or downloads. I'd use a minimum of 100 ports for the passive range.
I had increase the passive ftp port range in proftpd configuration file with directive PasssivePorts 65500 65535 and in i accept them in iptables just if they are in a state of ESTABLISHED,RELATED .... that's right isn'it ????(all modules are loaded)
Yeah that's right i do accept ESTABLISHED,RELATED in the first place as well .... a ftp connection is not going to start up on those unprivileged ports so ....
As long as your server is setup to listen on a certain port and your client attempts to hit that certain port it should be fine. Obviously allowing the initial ports through the firewall.
For example, my ftp server uses the default ports 20 & 21 to do the initial connect, the ftp server then uses the random high ports as it does. My firewall allows ACCEPT's ports 20,21, and ESTABLISHED,RELATED is applied. The modules ip_conntrack and ip_conntrack_ftp allows the firewall to track which random high ports are being used, and 'tracks' it so the firewall doesn't block any traffic that it isn't meant to.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Quote:
Originally Posted by TheRealDeal
For example, my ftp server uses the default ports 20 & 21 to do the initial connect, the ftp server then uses the random high ports as it does.
Sorry, but this is wrong.
Port 21/tcp is the listener on the FTP server that accepts command channel connections. The protocol knows how to multiplex many command sessions on the same port. When a client establishes a connection, they do it solely over the command channel. If they client needs to send or receive data (remember that directory listing output is considered data) then one of two things happens:
1.) FTP client is using Active mode FTP and sends a PORT command to the server. The server than connects back to the client on the client's port 20/tcp and delivers the data. This socket is used for all the other data that is transfered (unless the client requests passive mode).
2.) FTP client is using Passive mode FTP, in which case the server sends a PASV command telling the client what IP and port to connect to. The client then connects to this new IP/port on the server and uses this socket for the current data transfer. Depending on the server implementation this may (not sure if RFCs allow this) reuse the socket, or might send the client a new PASV command for the next input or output.
FTP servers do not need port 20/tcp to be open, and presumably the contrack_ftp module will detect when a client (on your machine) issues a PORT command and automatically allow the inbound connection from the server.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.