On Fri, Apr 11, 2008 at 10:06:49AM +0100, Wayne Stallwood wrote:
On Fri, 2008-04-11 at 09:26 +0100, Chris G wrote:
How does one find out what "the relevant ports" are? My firewall can certainly open specific ports in specific directions.
Well this is where it gets messy, If you run in active mode then inbound the server only needs the control port open (21) however the clients firewall needs to be able to either use protocol inspection to determine what inbound data stream port to open in the range 49152-65535, or you are going to have to open all of them.
Remember I have no control at all over "the clients firewall" so that basically means that active mode is impossible (and that's why all recent command line ftp clients default to passive mode nowadays).
Passive mode tries to "solve" this problem, but all it means is that now you have the same issue but at the server end. As with passive mode the server opens a data port in the range 49152-65535 and then tells the client what it is.
So basically it is a choice, at one end you need a firewall/NAT that understands FTP and can do protocol inspection to manage the open ports..or you open 49152-65535 exclusively and even then you need to educate your clients to use the appropriate mode (and just to help things different clients default in different ways).
Essentially it is a broken protocol as it was designed at a time when NAT didn't exist and firewalls were not commonplace. I really really would look at browser based upload.
I've installed Gallery2 which is a bit overkill for just "browser based upload" but may well be what my 'users' want anyway.