RRAS and Passive FTP.



Hi all,
I want to use RRAS Basic Firewall /NAT for an extra layer of por
blocking and have configured everything except I cannot work out how t
allow for passive FTP. Passive FTP basically requires that a larg
range of outgoing ports is open on the IP used for FTP. However
cannot find anyway to allow all outgoing or a port range within RRAS
Does anyone know how to do this?
Thanks in advance for any input


Gerry Voras

That's going to be the price you pay for security. Either allow the ports
to be open, or don't use PASV mode.

I personally would switch to SSH/SCP/SFTP for file transfers. Much more
secure in any case.


Thanks for your reply. I do realise that but i cant figure out how to allow
all ougoing ports on a single IP in RRAS basic firewall / NAT. Any ideas?


It's incoming ports that have to be opened. The basic firewall setup
is for *all* outgoing ports to be open and no incoming ports open. You
then open any required incoming ports for webservers behind the
firewall or whatever and close others that you don't want to go out..

If you have an ftp client outside trying to get in to your ftp server,
it first makes a connection on port 21 and in active mode the server
then makes a connection out on port 20 to the ftp client. So to make
active ftp work all that is normally needed is for the firewall to
allow connections on port 21 and if necessary NAT them to the correct
server. The outbound connection is on port 20 and that goes OK unless
outgoing restrictions have been put in place.

If the client is behind a firewall however, it cannot accept incoming
request on port 20. This is why passive ftp was developed. The client
end make the control connection on port21 as before. During the
connection dialog your server says to the client "connect using port
xxxx" for the data connection. The client then attempts to connect to
yourserver on port xxxx for the data connection. For this to work you
need to open port 21 and several high order *incoming* ports. Your
firewall device should be set up to allow 21 + high order ports and
should NAT them to the server.





thanks for the reply. I realise that but RRAS will not allow me to open a
range of ports. Anyone know a work around or script for RRAS to do that?

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question