f



FTP Service Rules on OS X Server

We are running 10.3.5 on a Xserve which, among other services, handles
ftp.  We have a client who cannot connect to our FTP server under
active mode.  Passive is not enabled in my router as only ports 20 and
21 point to the FTP server.  Is there a workaround for this client to
connect?  If I open up a wide range of ports, does this not pose a
security risk?  My router only allows me to specify the port I want
and point it at a specific IP address.  It doesn't allow for a range
of ports to be opened.  After speaking with Apple, they said I could
custom configure some rules via the command line that would allow a
solution to this problem but offered no insight on how to do this .  .
.. . anyone have any idea's?

Thanks.
Rick
0
rdwyer (18)
9/13/2004 4:40:08 PM
comp.sys.mac.system 33446 articles. 2 followers. jfmezei.spamnot (9455) is leader. Post Follow

3 Replies
220 Views

Similar Articles

[PageSpeed] 11

On 13/09/2004 12:40 PM, Rick Dwyer wrote:

> We are running 10.3.5 on a Xserve which, among other services, handles
> ftp.  We have a client who cannot connect to our FTP server under
> active mode.  Passive is not enabled in my router as only ports 20 and
> 21 point to the FTP server.  Is there a workaround for this client to
> connect?  If I open up a wide range of ports, does this not pose a
> security risk?  My router only allows me to specify the port I want
> and point it at a specific IP address.  It doesn't allow for a range
> of ports to be opened.  After speaking with Apple, they said I could
> custom configure some rules via the command line that would allow a
> solution to this problem but offered no insight on how to do this .  .
> . . anyone have any idea's?

FTP is notoriously hard to configure through a firewall.  There are 
several solutions for this, and none of them are optimal.  The easiest: 
force all clients to connect via a passive connection.  Some users will 
always be saddened by this.

I suggest abandoning ftp for scp if you can, though this is not always 
an optinal solution.

Do some Googling on "firewall ftp active connection" (or something) and 
get a feel for the problems with a service that requires a control and 
data connection, and some of the solutions.  This problem is non-trivial.
0
9/13/2004 5:05:43 PM
How about using VPN and then within the tunnel do the FTP thing?


"Rick Dwyer" <rdwyer@quick-link.com> wrote in message
news:3a3c9b4c.0409130840.4114513@posting.google.com...
> We are running 10.3.5 on a Xserve which, among other services, handles
> ftp.  We have a client who cannot connect to our FTP server under
> active mode.  Passive is not enabled in my router as only ports 20 and
> 21 point to the FTP server.  Is there a workaround for this client to
> connect?  If I open up a wide range of ports, does this not pose a
> security risk?  My router only allows me to specify the port I want
> and point it at a specific IP address.  It doesn't allow for a range
> of ports to be opened.  After speaking with Apple, they said I could
> custom configure some rules via the command line that would allow a
> solution to this problem but offered no insight on how to do this .  .
> . . anyone have any idea's?
>
> Thanks.
> Rick


0
tomkinsr (326)
9/13/2004 10:34:55 PM
> FTP is notoriously hard to configure through a firewall.  There are 
> several solutions for this, and none of them are optimal.  The easiest: 
> force all clients to connect via a passive connection.  Some users will 
> always be saddened by this.

For them to connect throught passive mode, doesn't require they config
their firewall to have a large number of high numbered ports open?  
If so, I think I know how that conversation is going to to go.  But
the reality is, one of the two parties would need to configure as such
and I do not want to do that since our FTP service runs on an Xserve
that provides other types of access (ex. filesharing).  A breach in
that machine would be disaterous since we keep customer information it
to be shared over our local network.
> 
> I suggest abandoning ftp for scp if you can, though this is not always 
> an optinal solution.

No familiar with it but I will look into it.
> 
> Do some Googling on "firewall ftp active connection" (or something) and 
> get a feel for the problems with a service that requires a control and 
> data connection, and some of the solutions.  This problem is non-trivial.

I will do so.  In the mean time, I may set up a separate box
altogether whose only function is FTP and assign it the DMZ port. 
Therefore, any hacks are isolated to that specific box and not the
rest of our network.

-Rick
0
rdwyer (18)
9/16/2004 12:02:52 PM
Reply: