1

I have installed the pure-ftpd package with PureFTP 1.0.24 on Ubuntu 10.04 using apt-get.

Even though, this is the default port range, I've added the file /etc/pure-ftpd/conf/PassivePortRange containing:

30000 50000

This does add the correct option to the command as it is run (-p 30000:50000), but for some reason, I still get connections trying to use ports above 50000. I think the problem is that these are active ftp sessions, but what's the point of specifying a port range if it only works for passive mode? Then I still need to open all the ports in my firewall...

Is there a way to specify a port range for all connections (rather than just passive ones)?

Castaglia
  • 3,239
  • 3
  • 19
  • 40
mltsy
  • 292
  • 2
  • 9

2 Answers2

1

In passive mode the server tells the client to connect back on a random port. You have configured the server to use a specific range so it should only use these. This range will need to be opened though your firewall to allow connections in. (Unless your firewall is clever enough to look in the FTP packets and add dynamic rules).

In active mode the client asks the server to connect to it on a random port. Because the client chooses this, you have no control over it. However for active to work, you should only need to add a keep-state rule to allow these connections out from your server. you don't need to open all ports fully.

USD Matt
  • 5,321
  • 14
  • 23
1

In active mode the server initiates a connection to a client defined ip address, so the server has no way of affecting the port number being used. In this case you don't need to open other incoming ports than 21 because the server initiates the data connection towards the client.

In passive mode the client opens a connection to a server defined port, and that's the spot where passive port range comes into play. Server chooses a free port within the range and hands it to the client. This of course means that the entire port range needs to be open in the server firewall, which has security implications.

Linux has a neat feature to mitigate the effects of opening a large port range for passive FTP - iptables connection tracking. To take advantage of it, you need to make sure ip_conntrack_ftp module is loaded, and then you can permit traffic like this # iptables -A your_chain -i your_iface -m state --state RELATED -m helper --helper ftp -j ACCEPT (you could include your port range if necessary). That tells iptables to accept related connections managed by conntrack FTP helper. So, if any other service would be listening on a socket in your passive port range, iptables would deny access to the port because it cannot recognize it being FTP related.

por
  • 730
  • 6
  • 8
  • Thanks! The real problem was that I happened to be connecting (via active FTP) from another server with similar port-range restrictions, so I was getting error messages like "Could not open data connection to port 59111: Connection timed out" - and thinking this was referring to the server port, but it was actually referring to the client port. So the answer for my situation (connecting from a client with a limited port-range open), is to use passive ftp! :) – mltsy Oct 08 '12 at 20:10