what else is needed to make ftp passive work

Jeremy Chadwick koitsu at FreeBSD.org
Wed Oct 22 12:13:34 PDT 2008 

On Wed, Oct 22, 2008 at 01:58:31PM -0500, Len Conrad wrote:
> two machines on the same private network.  
> 
> ftp  10.0.0.24
> Connected to 10.0.0.24.
> 220 mx1.fairhope.net FTP server (Version 6.00LS) ready.
> Name (10.0.0.24:username): 
> 331 Password required for username.
> Password:
> 230 User username logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 229 Entering Extended Passive Mode (|||64341|)
> 
> at this point, there is a long delay, that eventually completes:
> 
> 200 EPRT command successful.
> 150 Opening ASCII mode data connection for '/bin/ls'
> 
> ... and the rest of the ftp session runs fast.
> 
> on the ftp server, if we "ipfw disable firewall", the ftp session runs without delay.
> 
> in hosts file, both machines have both of their records, so we don't think the delay is query for PTR of either IP.
> 
> our ipfw.rules:
> 
> # stateful
> $IPF 50 check-state
> $IPF 60 allow tcp  from any to any established 
> $IPF 70 allow all  from any to any out keep-state
> $IPF 80 allow icmp from any to any
> 
> # open well-known ports
> 
> # FTP
> $IPF 120 allow tcp from any to any 20 in
> $IPF 121 allow tcp from any to any 20 out
> $IPF 122 allow tcp from any to any 21 in
> $IPF 123 allow tcp from any to any 21 out
> 
> In inetd.conf, we've added "-l -l -d" but don't get any ftpd debug info written to /var/log/messages or /var/log/xferlog or dmesg system buffer.
> 
> So what else is needed inf our ifpw.rules for the ftpd params to get the switch to Extended Passive Mode to run quickly?

You're not understanding the FTP protocol properly, specifically the
difference between Passive and Active mode.  This is why you're having
issues.

You need to punch firewall holes to your FTP server on the following
ports:

 Inbound: TCP port 21			(main ftpd daemon)
 Inbound: TCP ports 49152 to 65535	(used in FTP passive mode)
Outbound: TCP port 20			(used in FTP active mode)

Yes, you read that range correctly.  And yes, it's quite large.  Yes,
there is a way to diminish it, but it will affect other programs on
FreeBSD, so I do not recommend adjusting it.  It's controlled by
sysctls.  See the -U option of ftpd, but note that it doesn't do
anything for FreeBSD 5.0 or later.

I highly recommend you stick the FTP server on its own IP address (e.g.
bind the FTP server to its own IP using IP aliases), and then apply
those rules to a specific IP address, e.g.:

ipfw add 120 allow tcp from any to ftp.server.ip 21 in
ipfw add 121 allow tcp from any to ftp.server.ip 49152-65536 in
ipfw add 122 allow tcp from ftp.server.ip 20 to any out

Finally, I recommend if this machine is RELENG_6 or later, that you look
in to using pf(4) instead.  You'll thank me later.  :-)

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-questions mailing list