What ports do you folks have open? Do you open the entire ephemeral port range? (49152-65534).

I am having some problems with proftpd not working with passive connections and just wondering what you have open.

Hello,

For FTP, we only have 20 and 21 open. I'm pretty sure I'm using PASV... could be wrong (not sure that makes any sense, but we do only have 20 and 21 open).

I believe you can specify the port range in /etc/proftpd.conf using:

PassivePorts 60000 65535

so play around with that.

John

I added the port range but unless I used the entire ephemeral range I could not get it to work. Anyone set that to a lower block.

When in the passive mode that is only tcp out correct? If I could block incoming tcp connections on the ephemeral range in the firewall I would leave it all open.

What kind of firewalling are you using? If a specific firewall script, please let us know which one.

On our ipchains based firewalls we specifically open part of the ephemeral range (10 to 20 should be more than enough for all but the businest servers), but with iptables we use a setup that allows automatic opening and closing of ports as required.

Jeff

I tried limiting it to 10 ports in the ephemeral range but found that after the initial connection it would not work anymore.

I am using ipfw2. It is possible that I don't have the correct syntax in the proftpd.conf. PassivePorts 49152 65534

Don't you think it possible to use a stateful ruleset for the ephemeral range? The proftpd is the one picking and making the connection via that port range.

I know it's possible but I don't know how to do it with ipfw2; that's why I asked what firewall you were using.

Here's how we limit Proftpd to a range of ephemeral ports, using proftpd.conf:


##### added JL to make passive transfer work
# use part of the IANA registered ephemeral port range
PassivePorts 49152 49171
####
We use this (for 20 ports), right under the "Port 21" line near the top of the file.

If you're running proftpd as standalone servertype, don't forget to restart it after making any changes to proftpd.conf.

Jeff

I will try a smaller range. I will report what I find out with ipfw.

I set mine up with the enitire ephemeral and ipfw.

Its a very simple firewall if you'd like it I can attach it.

I don't need your firewall config, I am more worried about proftpd.conf. It works fine with the enitire ephemeral open but I just can't seem to get it to limit it to only a few. I will play with it...

Existenz, I'm having o problems using proftpd.conf to limit the ephemeral range as I've posted here already. What kind of problem are you having when you try?

JMStacey, I'd like very much to see your firewall serttings; if you'd like I'll show you mine for iptables and/or for ipchains.

Perhaps we can learn about techniques and ports to block/allow from each other.

Jeff

Ok, take a look at this thread, its attached to it.

http://www.directadmin.com/forum/showthread.php?s=&postid=16259#post16259

Recommendations on my situation there greatly appreciated.

Thanks, Jon.

I found your other thread, and the attached file a few minutes after I posted.

Jeff

SHouldn't setting iptables to accept all RELATED, ESTABLISHED connections do it?



[i]
On our ipchains based firewalls we specifically open part of the ephemeral range (10 to 20 should be more than enough for all but the businest servers), but with iptables we use a setup that allows automatic opening and closing of ports as required.

Jeff [/B]

How do you that? Thats very useful...

On iptables?

You've got it right.

On ipchains, we add these lines to /etc/sysconfig/ipchains:

# hole in firewall to allow passive ftp
-A input -s 0/0 -d 0/0 49152 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49153 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49154 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49155 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49156 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49157 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49158 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49159 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49160 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49161 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49162 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49163 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49164 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49165 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49166 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49167 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49168 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49169 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49170 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49171 -p tcp -y -j ACCEPT

and then restart ipchains.

And then add this line:

PassivePorts 49152 49171

to the <Global> section of /etc/proftpd.conf and restart proftpd.

Jeff