PDA

View Full Version : Fixed Data ports


Smirnoff
10-26-2009, 09:45 AM
Hello,

About SSL fxp, I would like to have fixed port so I only have to open these "known" ports on the firewall.

in ioftpd.ini I've the default set to (and i'm fine with it):
Ports = 5421-5450

But when a transfer start it is blocked at firewall level as it comes on port 6000 to 6100
I went for the easy solution and open up these ports ...
Only for the next test to send on port +50000 :(

Clients get:
[R] 425 Can't open data connection.

Here are the settings for the Certificate:
#
Require_Encrypted_Auth = !-ioFTPD !*
Require_Encrypted_Data = !-ioFTPD !S *
Certificate_Name = *****SSL
Explicit_Encryption = True
Encryption_Protocol = SSL3
Min_Cipher_Strength = 128
Max_Cipher_Strength = 256

# IDNT command handler
Get_External_Ident = True


Am I mistaken for the way it works ?
How can I achieve this properly ?
(What is the purpose if the IDNT comand handler ?)

Thanks for your feedback
Smirnoff

Yil
10-26-2009, 11:25 PM
The FTP has 3 types of ports you can control.

1) The port to accept new control connections on (Port=), must be forwarded in router.

2) The passive port(s) for incoming data connections (Ports=), must be forwarded in router.

3) The active port(s) to use for outgoing data connections (Out_Ports=). Usually outgoing connections are passed through by most NAT routers without any special configuration, but if blocked for some reason must be allowed.

You, however, have no control over what the client port for the other half of each style (passive/active) will be because the client chooses that. Just use two firewall rules, one using the incoming port range(s), and the other the outgoing port range(s).

Most of the time you'll just need to write one rule to cover 5420-5450 incoming so they will be forwarded to the correct machine.