This is Google's cache of http://www.omnigroup.com/mailman/archive/macosx-admin/2004-March/045902.html. It is a snapshot of the page as it appeared on May 7, 2009 13:47:04 GMT. The current page could have changed in the meantime. Learn more

Text-only version
These search terms are highlighted: ftp passive mode ipfw  
PASV ftpd and ipfw -- Was: Proftpd server passive requests

PASV ftpd and ipfw -- Was: Proftpd server passive requests

Dan Shoop shoop at iwiring.net
Tue Mar 30 15:33:02 PST 2004 

At 5:25 PM -0500 3/28/04, Richard Peskin wrote:
>I would be interested in learning of anyone's experience using 
>ProFTPD 1.2.9 with IPFIlter "on" under a 10.3.3 Panther server. My 
>experience is as follows:
>1. With IPFiltering off, ProFTPD handles passive (really EPSV) 
>requests correctly.
>2. With IPFiltering on passive requests cause the server to stall, 
>and perhaps drop the connection. (An ipfw rule to send incoming port 
>20,21 requests to a range of non-critical ports is normally used for 
>passive requests.)

This would be the expected behavior.

If you implement ipfw you can only use active FTP -- providing, of 
course, that you have stateful rules to permit it, that is something 
like:
    add check-state
    add allow tcp from any 20 to me via en0 in keep-state
    add allow tcp from any to any 21 in setup keep-state

ipfw implements tight stateful packet inspection which is anathema to 
the types of connections implied by passive ftp connects. [The reason 
PASV ftp works in some firewalls at all is because they implement a 
FTP "proxy" of sorts to handle the FTP issues. You could probably 
teach ipfw to do this too with a smart proxy on the DMZ that could 
tell ipfw to open and close the ports being used, but that's well 
beyond us here.]

Suffice it to say passive mode FTP doesn't work with ipfw.

(Actually 'real' passive mode FTP /does/ work, but what we're trying 
to do isn't really passive ftp, just using PASV to have the server 
create the random socket for the data transfer instead of the client 
creating the random socket and telling the server to us it.)

In the "passive FTP mode" we're describing the client issues a PASV 
and the server passes the port to used back to the client over the 
control port.
           ---> PASV
           <--- 227 Entering Passive Mode (209,68,11,20,209,243)
But ipfw doesn't know about the port (53747 in this example) the 
server had just opened because it handles states to open and close 
ports by noticing outbound traffic on the port and in this case the 
server is just listening but didn't send any traffic out on port 
53747, so ipfw doesn't know to open this port. You need some sort of 
ftp gateway, something ipfw isn't designed to provide.

Passive FTP was never designed for transfer of files from the server 
to the client. It was designed to permit a client to request a file 
be transferred from one server to another server, that is it 
'passively' controlled the a file transfer between serverA and 
serverB. (This can work with ipfw.)

Bottom line is FTP was never designed to work through firewalls.

Smart firewall devices can get around this because they actually 
operate a sort of ftp proxy or gateway and notice the traffic that 
gets passed back to the client on the control port, noting in the FTP 
server's "227" message back to the client the port to be used (port 
53747 in the above example) and then opening a temporary rule to 
permit traffic [using our example] from IP address 209.68.11.20 to 
port 53747 on the target server.

A good read on these issues is in of all places the book "SSH: The 
definitive guide" where the case study of FTP passive mode is 
wonderfully sketched out as the authors cover the issues involved so 
that they can make understandable the steps that need to be taken to 
implement ftp over ssh tunnels. Reading the section makes you wonder 
if you're reading an SSH book at all since it delves so well into the 
bowels of FTP. They even talk about the third type of FTP mode used 
for transfers, SENDPORT, which avoids all of these issues, but has 
some of it's own issues, but does work with ssh tunnels.

As for debugging issues that arise from all this, try using the ftp 
tool itself with the "-d" option (e.g. `ftp -d`) to see the commands 
being sent and received.

As for ipfw and passive mode FTP, you might as well forget about it.
-- 

-dhan

------------------------------------------------------------------------
Dan Shoop                                              shoop at iwiring.net
Consulting Internet Architect                              shoop at mac.com
AIM: iWiring                                     http://www.iwiring.net/

pgp key fingerprint: FAC0 9434 B5A5 24A8 D0AF  12B1 7840 3BE7 3736 DE0B

iWiring designs and supports Internet systems and networks based on
Mac OS X, unix, and Open Source application technologies and offers
24x7, guaranteed support to registered clients, at affordable rates.

More information about the MacOSX-admin mailing list