Anon FTP on an IPFW Firewall?

Hey,

I'm trying to get an anonymous ftp server (wu-ftp) to work with an IPFW Firewall.

I enabled port 21, but that only enables access if you directly specify port 21 when connecting, but when you try to access ftp anonymously from a web browser, it is blocked because wu-ftp seems to be using random server ports to connect.

Do anyone know how to get around this or to configure wu-ftp correctly so that it only uses port 21 even for anonymous ftp?

Any help would be greatly appreciated.

Dan

I am sure the problem is in setting up the actual data stream. The browser is NOT going to try to connect on a random port, it will only attempt to connect on the standard FTP port unless otherwise configured. However, in the standard FTP protocol, the DATA is transmitted on a separate port specific to that particular connection which is basically chosen at random from a range of high ports; the control communication remains on the original connection. If you have all other ports blocked then naturally it will be unable to transmit data and will drop the connection. There are several work-arounds for this, though the specifics escape me. There is a command clients can give to most FTP servers to specify a particular port, I suspect you can configure the server to respond with a particular port as opposed to a random port and configure your firewall to handle that port. You may also be able to specify a range and free that range up in the firewall. Check your server documentation.

By default web browsers are enabled for passive FTP which meens if the FTP server is passive it will go to random ports by deafualt starting at 1024+n. This is to bypass firewalls. turn off passive mode in the browser and open ports 20 FTP data port and 21 set the ftp server for active FTP.

read my responses to this post http://forums.devshed.com/t248493/s.html

and especialy look at the link I gave for active vurses passive FTP.

which is here FTP MODES

Thanks for all your help.

I was able to fix the issue that I mentioned by adding these lines to my ipfw.conf:

allow tcp from any to any 21 keep-state setup
allow tcp from any to any 2000-2099 keep-state setup


And by adding this line to wu-ftp's ftpaccess file:

passive ports 0.0.0.0/0 2000 2099

Since I'm running an anonymous file upload server, do I really need to have active ftp enabled? Most of our users upload through the web and some through ftp clients, which all/most use passive ftp.

The strange thing is even though port 20 isn't enabled. I'm still able to connect using an ftp client using the active mode. How is this possible? How can I test if it's truly active mode?

Dan

port 20 is just a data port you should be able to connect but error during file transfers. you should see when you connect in the ftp client what ports you have connections on.