0

Is there a way to restrict FTPS ports on both the server & client side of the connection?

I've already read this answer and I have vsftpd set to restrict passive port usage to a narrow range on the server side. I've verified that this restriction does work -- for the server. However, if the client is behind a firewall itself and is carefully restricting access on that end, the connections fail. Inspecting with tcpdump, it appears that arbitrary high ports on the client side are being used.

SFTP is not an option. (Believe me, I wish it were.)

Community
  • 1
Michael H.
  • 543
  • 1
  • 4
  • 15

2 Answers2

1

In theory yes but I'm not aware of any FTP client software that will allow you to specify the source port and to be honest it'll probably cause more problems than solve if you started start messing with the source ports on a client device. It's really only the destination port that gets adjusted, I've never seen a firewall that locked down ports inside or out based on the source port, it's always the destination

Another reason not too play around with the source port is that it will more than likely get changed when it hits the source clients router/firewall. Most offices/home only have 1 external IP so in order to keep track of connections the internal IPs and source ports are changed by the firewall dynamically, which is commonly referred to as port address translation (PAT) as such even if you did specify the source port on the client there is no guarantee that it'll be the same when it hits the server.

Chris
  • 246
  • 1
  • 4
  • This is business-to-business, not home clients, so I don't have to worry so much about casual users and NAT. (Yes, we looked into VPN, but that's a separate conversation.) – Michael H. Jun 07 '12 at 18:15
0

However, if the client is behind a firewall itself and is carefully restricting access on that end, the connections fail.

The client (or their IT dept) would have to allow those ports on their firewall. You can't really do much other than tell them what ports need to be open outbound.

Those high ports on the client are probably just the ephemeral ports on the host trying to make the connection, it's the outbound destination port (the ones you configured on your server side) that are most likely blocked on their firewall for outbound use.

TheCleaner
  • 32,352
  • 26
  • 126
  • 188
  • Unfortunately, I see no way to restrict the high ports on the client. So it's not a matter of opening "those ports" on the client -- it would be opening *all* ports, which is clearly unacceptable. This is so far as I can tell from tcpdump & coworker reports on failures. I would be very happy to be incorrect about this! – Michael H. Jun 07 '12 at 17:01
  • the source port from the client ie 192.168.50.50:48093 shouldn't matter. It's where they are going that matters on their firewall rules. Most don't restrict source ports...typically. – TheCleaner Jun 07 '12 at 18:22