Passive FTP Port Range -- Server 10.3.x Panther

I know that the port range for Passive FTP is >1024, but I want to define that to a smaller group of unused ports so that I can specify that those ports are open in the Firewall.
Can, how, and where do I define this port range??

I just opened from 13658-65534 and this seems to be fine (although not been running very long). I took the view that opening a stack of ports was not really any worse than just opening a quarter as much. Arguably, it's no worse than just opening one.
However, we only use it from time to time and FTP services is off unless specifically required. If I was going to run it for serious use I think I would put it on a dedicated server and put it in a DMZ.
Reading up on FTP security is on my To-Do list...
-david
[EDIT] The server is also well locked down for SSH.

Similar Messages

Passive ftp ports allowed thru firwall

I need to allow a connection thru my firewall for passive ftp connection.
I figure to create a service defining the ports. What ports should I include in that service?

You should enable FTP inspection and allow tcp/21, then everything should be detected on the fly
Michael
Please rate all helpful posts

ACE10 dynamic port range

Hi
Is the dynamic port range server load balancing supported for MS Exchange 2010
Sent from Cisco Technical Support iPhone App

It would appear to be, see MS recommendation http://technet.microsoft.com/en-us/exchange/gg176682.aspx. Matthew

FTP Passive Port Range Fowarding

Hi,
Im using vsftpd on a Linux Server and I need to forward a port range to this server (passive mode).
I can do it with any of the other routers I have but not with the RV220w.
I created a custom service with a start and finish range, but there is no place to enter a range under the Port Fowarding tab like I have with the other routers.
Im using the latest firmware by the way.
Any tips ?
Thank you

Hi ,
Can you try please to do Access rules instead of Port forwarding. under firewall --> access Rules
from WAN to LAN | always allow | Choose your service | Source = any | Dnat = Local IP server
Enable rule
Please let me know after your testing
Please rate this port or marked as answered to help other Cisco Customers
thanks
Mehdi

Data Transfer Port ranges in FTPS with SSL in File Adapter

Hi,
I would appreciate if you could give me pointers reagrding the below issue.
We are on XI 3.0.
For one interface, I have to configure the FTP File adapter to pick up the files from external server.
The connection is secure and should be FTPS with SSL.
I have the certificate from the 3rd party and have it installed on our XI development server.
The change has been made in our firewall to allow the connection to the host IP and port 21 which is configured at the target party as Explicit FTPS port and they have allowed access to our Server IP in their firewall.
I have configured other FTPS connections and they worked fine but this is the only one that has been giving me so much trouble.
The error i get today is:
Error occurred while connecting to the FTP server "60.234.48.106:21": java.net.SocketException: Connection reset
Yesterday, i got the below error:
Error occurred while connecting to the FTP server "60.234.48.106:21": iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier
The Vendor has suggested to get the firewall ports 21 and 28000:30000 (data transfer) to be opened.
He has also provided with the certificate passphrase additionally to the user name and password needed to make the connection.
When i tried the connection from the XI development to the vendor server, via the Telnet, it looked like it worked.
Please advice.
Regards,
Archana

>
Archana Singhai wrote:
> Hi,
> I would appreciate if you could give me pointers reagrding the below issue.
> We are on XI 3.0.
> For one interface, I have to configure the FTP File adapter to pick up the files from external server.
> The connection is secure and should be FTPS with SSL.
> I have the certificate from the 3rd party and have it installed on our XI development server.
> The change has been made in our firewall to allow the connection to the host IP and port 21 which is configured at the target party as Explicit FTPS port and they have allowed access to our Server IP in their firewall.
> I have configured other FTPS connections and they worked fine but this is the only one that has been giving me so much trouble.
> The error i get today is:
> Error occurred while connecting to the FTP server "60.234.48.106:21": java.net.SocketException: Connection reset
> Yesterday, i got the below error:
> Error occurred while connecting to the FTP server "60.234.48.106:21": iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier
> The Vendor has suggested to get the firewall ports 21 and 28000:30000 (data transfer) to be opened.
> He has also provided with the certificate passphrase additionally to the user name and password needed to make the connection.
> When i tried the connection from the XI development to the vendor server, via the Telnet, it looked like it worked.
> Please advice.
> Regards,
> Archana
1. Open the port ranges. FTPS usually requires you to open ports in the range of 65024 through 65535 for Passive FTP data
connections
2. Use the CA name in the certificate. it should be same as of the host name of the FTPS server

ACE FTP inspect with port range

Hi everyone,
I have a problem with passive FTP with fixed port range.
I configured a ftp server with a fixed port range of 60000 - 60500 for the data channel.
And the ace is configured with "inspect ftp" on policy of ftp-serverfarm.
A tcpdump on server I can see that the server uses the portrange in response packet.
(x,x,x,x,34,195) = 60099
But on client I can see that the port on packet is change to another port. The ace is between server and client.
On CCO I found a document "http://www.ciscosystems.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/command/reference/policy.html#wp1006925" ->> Enables FTP inspection. The ACE inspects FTP packets, translates the address and the port that are embedded in the payload, and opens up a secondary channel for data.
I don't understand why the ace change the port in ftp payload.
Is it possible to create the same port range on ace configuration of connectio to client?
Thanks
René

You don't need inspect ftp with one server because you can avoid it.
You can for example configure a loopback on the server with the vip address and configure the serverfarm as transparent on ACE.
Then for the data channel, since your range of ports is quite small, you can catch it with a class-map and simply forward to the server.
Like this, the server will use the vip address in all packets exchange with the cleint (no need to nat the payload) and when the client opens a data connection, the traffic is matched with the class-map and the connection can be forwarded to the server using the same transparent serverfarm.
Less chance to run into compatibility issue.
Better performance since we can switch traffic with inspecting its content.
Gilles.

Let's Revisit MacOS Server's Passive FTP Problem

Mac OS X Server's built-in FTP server can't be configured to determine which ports above 1024 will be used for Passive FTP connections. More often than not, this means that clients behind NAT routers (for a variety of complicated reasons) can't discover which of the "high ports" are being used in their passive connection. Furthermore the Mac OS X administrator would have to open every port above 1024 to anticipate connections, severly weakening the security of the system.
The effect for the user is that their FTP client can connect, but can't list the contents of a directory or upload/download anything.
Here's a primer on the difference between Active and Passive FTP:
http://slacksite.com/other/ftp.html
Apple introduced a "solution" to the problem by making this addition to the Network Services manual sometime around 10.3 server:
"See if the client is using FTP passive mode, and turn it off. Passive mode causes the FTP server to open a connection on a dynamically determined port to the client, which could conflict with port filters set up in IP filter service. "
This was a tacit admission that MacOS's various FTP daemons over the years have unchangeable, precompiled configurations. The typical workaround was choppy, but workable: replace Apple's built-in FTP daemon with a fully configurable one like ProFTPd or PureFTPd, configure a narrow range of ports for your own security, and configure your firewall to match.
We're on Tiger server now and that's still in the Network Services manual. Leopard or whatever is looming. Will Apple ship an FTP server that works out-of-the-box with its own firewall this time? Any new thoughts or solutions?

I think you need to do a little more research on FTP. Most of the actual problems you describe are inherent in FTP and nothing to do with any kind of Apple-inhibited FTP server.
For example, you say:
> Mac OS X Server's built-in FTP server can't be configured to determine which ports above 1024 will be used for Passive FTP connections
Not true. You can choose whatever port range you like using the portrange directive in /etc/ftpd.conf
By default this directive isn't set so the entire port range is used. Feel free to change that.
>The effect for the user is that their FTP client can connect, but can't list the contents of a directory or upload/download anything.
This is an inherent flaw in FTP, suffered by every FTP server on the market. Nothing to do with Apple.
> This was a tacit admission that MacOS's various FTP daemons over the years have unchangeable, precompiled configurations
Again, incorrect. The suggestion was a workaround for the FTP protocol restriction, not for Apple's implementation. I've been dealing with the exact same issues for years on various Sun servers I've run.
Most of the problems you describe regarding FTP and firewalls won't be solved at all in any future OS update - from any vendor. FTP was never designed with firewalls and security in mind. The only solution is to fix the underlying protocol, or use something different altogether.

What port-range in the firewall of a Socks (e.g. JSocks) server?

Hi there,
I am using the JSocks implementation of a socks v5 server.
Some of my questsions are quite general (not only specific to JSocks) and I hope that someone knows the answer. Unfortunately the forum of JSocks (sourceforge) is only rudymentary so I think this place is better to answer my questions.
However...
As I understand the socks proxy, the server waits on a specific port - normally 1080 and processes the client requests (bind, connect, accept...).
For example one client requests a bind. Then the socks server opens a port locally on the socks host and (if successful) replies the new listening port and ip to the requesting client. ...
(Forget authentication, cascaded proxies and ip-ranges at this point!)
Now, if other clients should be able to access this port, the firewall (if any) needs to allow connection to this port.
My questions:
What should be an adequate port range for the socks proxy? With other words: what is the port range of the new ports that are created for the requesting clients?
How schould a seperate firewall be configured not to conflict with a socks proxy?
Specific to JSocks (if somebody knows this he wins a virtual cookie): What is the port range that JSocks uses if it opens (generates) new ports for its clients?
Where is the port range defined in the jsocks - I havent found any?
Imagine that on the same machine there are other running applications that are listening on predefined ports. (e.g. 8080, 21, ...) - what is the best way to exclude the ports in jsocks?
Any hints and explanations are welcome!
Edited by: krafzig on Oct 28, 2008 8:27 AM

You only need one port.OK, initially I need only - lets say port 1080.
But then for example a client c1 requests a bind. The socks server opens a new socket for the client (e.g. on 50000) and tells the client on which port on the socks he is now listening, right?
In order to allow client c2 to connect to this new port the firewall needs to allow access to the new port (50000) first.
So there are more ports - there might be hundrets or thousands, right?
If its on a seperate box it doesn't matter. If its on the same box it should manage different ports.yes, different ports!
However, it should allow access to the ports that the socks opens for the clients, right?
Optimal would be a dynamic adaptation of the firewall, whenever the socks opens a new port the firewall grants access.
I assume its configurable, so its up to you.No, unfortunately it is not configurable. At least I havent found anything.
Probably won't either.???
Don't use ports already used. `netstat -a` will list all the used port on that box. obviously, and Jsocks allows to configure reusage of ports by flag true/false;
Has anybody setup a socks proxy with a firewall and knows how this is/should be done normally?
Has anybody experiences with JSocks?

Two FTP ports on a single solaris server

can i have two FTP ports on single Solaris server ? If yes, HOW ??

Hi adiyakiran,
This is possible in third party ftp server wu-ftpd. you can download it from http://www.sunfreeware.com.
read wu-ftpd faq URL: http://www.wu-ftpd.org/wu-ftpd-faq.html
Testing on a different port number then ftp:21
This can be done from the command line or with a special definition in /etc/services ,/etc/inetd.conf. For command-line, look up -P and -p in the ftpaccess(5) manpage.
To set up with special definitions, add 2 ports with consecutive numbers in /etc/services, and then start wu-ftpd on these ports. Add to /etc/services something like :
ftptest 4021/tcp #command port
ftptest-data 4020/tcp #data port
Then start wu-ftpd from /etc/inetd.conf like :
ftptest stream tcp nowait root /usr/etc/in.ftpd in.ftpd
The key is the name 'ftptest' which associates the port assignment in the /etc/services file to that in the inetd.conf file. Make certain the choice of ports in /etc/services (4021 and 4020 above) are from the local use list and don't conflict with other port assignments (see RFC1700, ASSIGNED NUMBERS). One important subtlety. The data
port is not really derived from the data port declaration in the /etc/services file. The FTP specification (RFC765) states the data port is defined as one less than the command port. However, including the data port declaration in the /etc/services file prevents it from being accidentally assigned to something else.
Thanks.
regards,
senthilkumar.
SUN - DTS

WMI port range Issues windows server 2008 R2

I've been encountering issues with the communication to some of my distributions points worldwide. The server is live but is unable to receive any packages.
I troubleshooted the issue with our network group and it seems that the servers are trying to send the data through the 1027 port
Now for the kicker: These are all 2008 R2 servers and port 1027 is part of the WMI range for server 2003. The port range for 2008 starts at 49152.
the issue in itself is easy enough to fix as you can see below:
netsh int ipv4 show dynamic tcp (this give you the current range)
netsh int ipv4 set dynamic tcp start=49152 num=**** (this allows you to set the beginning of the range to what you want and the # of ports available)
this requires a reboot to be effective.
My question is, why is the default port range changing without an input from anyone?

Hi Carl,
As you point out, in Windows Server 2008 and later versions, and in Windows Vista and later versions, the default dynamic port range changed to the following range:
Start port: 49152
End port: 65535
After my research, I found a relevant KB we can reference:
The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
http://support.microsoft.com/kb/929851
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Time capsule ftp port forwarding

Hi.
Just got a new time capsule and have discovered that the connection speed to my ftp server is MUCH slower.
I've tried playing around with port forwarding but haven't managed to get it sorted out.
I did discover during my attempts that switching the TC over to bridge mode fixed everything. Didn't want that security setup though!
Current setup is modem (bridge mode) > ethernet > time capsule (wirelessly routing via nat-dhcp)
I'm not quite sure what i'm doing with the port forwarding settings...i've tried changing the dhcp mode to manual on my mac
i've also added various ports (21,22,80, 115) to the time capsules' port settings
according to http://www.yougetsignal.com the only open port is 21
any tips?? very grateful!

You need to look carefully at how ftp gets through NAT.. and if the ftp client can open ports itself .. which way are you going, out or in?
Is the client active or passive ftp? You think ftp is this simple protocol but there are variations and some handle NAT better than others.. it is also going to need specific ports opened higher up the range.
Some clients allow you to dictate the port and others open ports at random.
See the info here.
http://slacksite.com/other/ftp.html

Port range forwarding on MI424WR Revision I

I'm trying to get Passive FTP working through my newly installed MI424WR Rev. I router. I tried doing a port range in the "Port Forwarding" section of the configuration page with no luck. I have also tried "Port Triggering" but that didn't seem to work either.
Does anyone know how I could get the FIOS router to just pass a range along to a server inside the network?

did you do a custom rule, or did you use the FTP option that is preconfigured through the actiontec. Look at the preconfigured port list.
http://www.actiontec.com/howto/h2_detail.php?cat_id=3&id=9

Passive FTP and the Leopard firewall

Hi,
We have an staff upload server that uses the built-in Leopard firewall. It is fed by two proprietary applications, one of which uses passive ftp only. We are getting a small number of incidents where the passive upload is unsuccessful. Initial contact is made (visible in the logs and as a connection in the server admin gui) but the upload doesn't proceed. A user might try uploading several times without success. On other occasions, the same user from the same computer has no problems at all.
We have the ftp service enabled on port 20-21 and the FTP service PASV port range enabled 49152-65535.
If I add the uploading computers' ip number to an access group with no port restrictions on the firewall, the uploads are always successful.
With my very limited knowledge of ftp and firewalls, this suggest that the negotiated port for the data transfer is outside the default port range used by Apple. Is this likely? Are there any implications in changing the range?
Or am I totally confused and should I be looking elsewhere?
Thanks,
Ross Glover

By default, the FTP server doesn't restrict itself to any particular passive port range. To make it match what the firewall claims it should be, edit the file /Library/FTPServer/Configuration/ftpaccess and add the line:
passive ports 0.0.0.0/0 49152 65535
...then restart the FTP service and retest.

CSM not passing ACK in FTP port 1985?

We have a pair of CSM 4.1.6 in bridge mode and we have a VIP for passive ftp set. We are seeing consistent errors with FTP port 1985. We took several captures and notice that conns show ESTAB on CSM but the client sends the SYN receives the SYNACK then sends the ACK but the ack never gets to the server and this only happens on port 1985. I also looked at the capture on the server and see that the ACK never gets to the server. We try TCP ports 1984 and 1986 everything works perfectly. Has anyone seen anything like this before?
vserver PSCO_FTP---21
virtual 10.x.2.100 tcp ftp service ftp
vlan 690
serverfarm PSCO_FTP---0000
persistent rebalance
inservice
serverfarm PSCO_FTP---0000
nat server
no nat client
predictor leastconns
real 10.x.5.100
inservice
real 10.x.6.100
inservice
probe PROD-FTP
EdSw02#sh mod csm 4 conns vserver PSCO_FTP---21 det
prot vlan source destination state
In TCP 690 172.x.2.57:1985 10.x.2.100:21 ESTAB
Out TCP 691 10.x.6.100:21 172.x.2.57:1985 ESTAB
vs = PSCO_FTP---21, ftp = Control, csrp = False

Thx sadbulali, I see...but according to the tcp dumps on client and server you never see a FIN in either direction. What you do see is the client sending SYN the real gets the SYN it sends a SYN/ACK and the client then receives the SYN/ACK then the client proceeds to send the ACK which never reaches the real server...And it seems to be stopping at the CSM.

FTP access to server

Im a graphic designer and I’v been working towards setting up my g4 as a server, I have managed with the help of great forum helpers on Apple discussions to set up port-forwarding on the router and get access to my webfolder and the computers web-folder.
I now wish to set up FTP to my web folder.
I have set the ftp port-forwarding to my macs ip on port 21 as I did with the http (port 80).
I have tried to log in through a ftp client from the PC at work (as most of my clients have pc’s)
I use my computers ip then username and passwrod through the ftp client.
I then see my folder “users/myhomefolder” but with nothing in it.
I try to upload, it trys but returns with an error and “command :> type i” in the connection list (using ftpBlaze) the connection keeps trying with the same issue.
File sharing: Firewall enabled with passive mode
I have tried passive mode and anonymous both return the same errors.
Also I have file vault enabled as this I beleive only affects my home folder, I thought that if I logged in with the correct user name etc that it would let me in?
I have also tried to access my home web pages via http but it denied access, yet lets me in to the computers web-folder.
Before file vault was initialised I could view my web-pages, which leads me to beleive that file vault is not letting me in.
Is there a way around this? In terms of security would file vault be the best or is there another system I could use?
Off the subject a little, can I set up multiple web-folders anywhere on my hard drive eg in a partiion or does it always need the system to be loaded in order to determine the path? eg I have a partition and set a client there can they have access and would I be able to publish a website from the same palce.
Quite a bit there, sorry, but hope someone can help
Thanks

Im a graphic designer and I’v been working towards
setting up my g4 as a server, I have managed with the
help of great forum helpers on Apple discussions to
set up port-forwarding on the router and get access
to my webfolder and the computers web-folder.
I now wish to set up FTP to my web folder.
I have set the ftp port-forwarding to my macs ip on
port 21 as I did with the http (port 80).
I have tried to log in through a ftp client from the
PC at work (as most of my clients have pc’s)
I use my computers ip then username and passwrod
through the ftp client.
I then see my folder “users/myhomefolder” but with
nothing in it.
I try to upload, it trys but returns with an error
and “command :> type i” in the connection list
(using ftpBlaze) the connection keeps trying with
the same issue.
File sharing: Firewall enabled with passive mode
I have tried passive mode and anonymous both return
the same errors.
Also I have file vault enabled as this I beleive only
affects my home folder, I thought that if I logged in
with the correct user name etc that it would let me
in?
Why don't you try to dissable "file vault" and see if you get through. The problem sounds permission based to me.
I have also tried to access my home web pages via
http but it denied access, yet lets me in to the
computers web-folder.
Before file vault was initialised I could view my
web-pages, which leads me to beleive that file vault
is not letting me in.
Is there a way around this? In terms of security
would file vault be the best or is there another
system I could use?
I don't know anything about file vault.. but I assume it affects permssions for those that don't know how to set them manually... Thus in it's essense, doesn't allow people to do certain things... like see (read) them in this case.
Off the subject a little, can I set up multiple
web-folders anywhere on my hard drive eg in a
partiion or does it always need the system to be
loaded in order to determine the path? eg I have a
partition and set a client there can they have access
and would I be able to publish a website from the
same palce.
Quite a bit there, sorry, but hope someone can help
Thanks
Your apache server root will be located in the httpd.conf file. It is probably /Library/WebServer/Documents/
I think you could use shortcuts (aliases) to point to other areas however.
hth,
Donovan

Passive FTP Port Range -- Server 10.3.x Panther

Similar Messages

Maybe you are looking for