Hi all,
I want to use RRAS Basic Firewall /NAT for an extra layer of port blocking a
nd have configured everything except I cannot work out how to allow for pass
ive FTP. Passive FTP basically requires that a large range of outgoing ports
 is open on the IP used for FTP.  However i cannot find anyway to allow all 
outgoing or a port range within RRAS. Does anyone know how to do this?
Thanks in advance for any input.

[ Post a follow-up to this message ]

That's going to be the price you pay for security.  Either allow the ports
to be open, or don't use PASV mode.

I personally would switch to SSH/SCP/SFTP for file transfers.  Much more
secure in any case.

"JimJ" <JimJ.17lblz@mail.webservertalk.com> wrote in message
news:JimJ.17lblz@mail.webservertalk.com...
>
> Hi all,
> I want to use RRAS Basic Firewall /NAT for an extra layer of port
> blocking and have configured everything except I cannot work out how to
> allow for passive FTP. Passive FTP basically requires that a large
> range of outgoing ports is open on the IP used for FTP.  However i
> cannot find anyway to allow all outgoing or a port range within RRAS.
> Does anyone know how to do this?
> Thanks in advance for any input.
>
>
>
> --
> JimJ
> ------------------------------------------------------------------------
> Posted via http://www.webservertalk.com
> ------------------------------------------------------------------------
> View this thread: http://www.webservertalk.com/message255886.html
>

[ Post a follow-up to this message ]

Thanks for your reply. I do realise that but i cant figure out how to allow
all ougoing ports on a single IP in RRAS basic firewall / NAT. Any ideas?

"Gerry Voras" <gerry.voras@nextaction.com> wrote in message
news:urdbTNoTEHA.1284@TK2MSFTNGP10.phx.gbl...
> That's going to be the price you pay for security.  Either allow the ports
> to be open, or don't use PASV mode.
>
> I personally would switch to SSH/SCP/SFTP for file transfers.  Much more
> secure in any case.
>
> "JimJ" <JimJ.17lblz@mail.webservertalk.com> wrote in message
> news:JimJ.17lblz@mail.webservertalk.com... 
>
>

[ Post a follow-up to this message ]

It's incoming ports that have to be opened. The basic firewall setup
is for *all* outgoing ports to be open and no incoming ports open. You
then open any required incoming ports for webservers behind the
firewall or whatever and close others that you don't want to go out..

If you have an ftp client outside trying to get in to your ftp server,
it first makes a connection on port 21 and in active mode the server
then makes a connection out on port 20 to the ftp client. So to make
active ftp work all that is normally needed is for the firewall to
allow connections on port 21 and if necessary NAT them to the correct
server. The outbound connection is on port 20 and that goes OK unless
outgoing restrictions have been put in place.

If the client is behind a firewall however, it cannot accept incoming
request on port 20. This is why passive ftp was developed. The client
end make the control connection on port21 as before. During the
connection dialog your server says to the client "connect using port
xxxx" for the data connection. The client then attempts to connect to
yourserver on port xxxx for the data connection. For this to work you
need to open port 21 and several high order *incoming* ports. Your
firewall device should be set up to allow 21 + high order ports and
should NAT them to the server.

http://slacksite.com/other/ftp.html

Cheers,

Cliff


On Thu, 10 Jun 2004 12:51:46 +0100, "Jim.J" <sam@mxweaver.com> wrote:

>Thanks for your reply. I do realise that but i cant figure out how to allow
>all ougoing ports on a single IP in RRAS basic firewall / NAT. Any ideas?
>
>"Gerry Voras" <gerry.voras@nextaction.com> wrote in message
>news:urdbTNoTEHA.1284@TK2MSFTNGP10.phx.gbl... 
>

[ Post a follow-up to this message ]

It's incoming ports that have to be opened. The basic firewall setup
is for *all* outgoing ports to be open and no incoming ports open. You
then open any required incoming ports for webservers behind the
firewall or whatever and close others that you don't want to go out..

If you have an ftp client outside trying to get in to your ftp server,
it first makes a connection on port 21 and in active mode the server
then makes a connection out on port 20 to the ftp client. So to make
active ftp work all that is normally needed is for the firewall to
allow connections on port 21 and if necessary NAT them to the correct
server. The outbound connection is on port 20 and that goes OK unless
outgoing restrictions have been put in place.

If the client is behind a firewall however, it cannot accept incoming
request on port 20. This is why passive ftp was developed. The client
end make the control connection on port21 as before. During the
connection dialog your server says to the client "connect using port
xxxx" for the data connection. The client then attempts to connect to
yourserver on port xxxx for the data connection. For this to work you
need to open port 21 and several high order *incoming* ports. Your
firewall device should be set up to allow 21 + high order ports and
should NAT them to the server.

http://slacksite.com/other/ftp.html

Cheers,

Cliff


On Thu, 10 Jun 2004 12:51:46 +0100, "Jim.J" <sam@mxweaver.com> wrote:

>Thanks for your reply. I do realise that but i cant figure out how to allow
>all ougoing ports on a single IP in RRAS basic firewall / NAT. Any ideas?
>
>"Gerry Voras" <gerry.voras@nextaction.com> wrote in message
>news:urdbTNoTEHA.1284@TK2MSFTNGP10.phx.gbl... 
>

[ Post a follow-up to this message ]

thanks for the reply. I realise that but RRAS will not allow me to open a
range of ports. Anyone know a work around or script for RRAS to do that?

[ Post a follow-up to this message ]