On Fri, Apr 11, 2008 at 10:06:49AM +0100, Wayne Stallwood wrote:
On Fri, 2008-04-11 at 09:26 +0100, Chris G wrote:
How does one find out what "the relevant ports" are? My firewall can certainly open specific ports in specific directions.
Well this is where it gets messy, If you run in active mode then inbound the server only needs the control port open (21) however the clients firewall needs to be able to either use protocol inspection to determine what inbound data stream port to open in the range 49152-65535, or you are going to have to open all of them.
Passive mode tries to "solve" this problem, but all it means is that now you have the same issue but at the server end. As with passive mode the server opens a data port in the range 49152-65535 and then tells the client what it is.
vsftpd (and presumably other FTP servers too) allows you to limit the ports used for passive. pasv_min_port / pasv_max_port are the relevant config options; you could set them such that you have a dozen or so ports available and then only have to open those up from your firewall to the FTP server from the outside world.
J.