Jump to content

FTP outside LAN

aviationjames
By aviationjames
in Networking
 Share
Posted

Just checked, and they are open :/

 

Passive FTP

In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode.

In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1023 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1023) and sends P back to the client in response to the PASV command. The client then initiates the connection from port N+1 to port P on the server to transfer data.

From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:

  • FTP server's port 21 from anywhere (Client initiates connection)
  • FTP server's port 21 to ports > 1023 (Server responds to client's control port)
  • FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server)
  • FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)

When drawn, a passive mode FTP connection looks like this:

passiveftp.gif

In step 1, the client contacts the server on the command port and issues the PASV command. The server then replies in step 2 with PORT 2024, telling the client which port it is listening to for the data connection. In step 3 the client then initiates the data connection from its data port to the specified server data port. Finally, the server sends back an ACK in step 4 to the client's data port.

While passive mode FTP solves many of the problems from the client side, it opens up a whole range of problems on the server side. The biggest issue is the need to allow any remote connection to high numbered ports on the server. Fortunately, many FTP daemons, including the popular WU-FTPD allow the administrator to specify a range of ports which the FTP server will use. See Appendix 1 for more information.

The second issue involves supporting and troubleshooting clients which do (or do not) support passive mode. As an example, the command line FTP utility provided with Solaris does not support passive mode, necessitating a third-party FTP client, such as ncftp.

NOTE: This is no longer the case--use the -p option with the Solaris FTP client to enable passive mode!

With the massive popularity of the World Wide Web, many people prefer to use their web browser as an FTP client. Most browsers only support passive mode when accessing ftp:// URLs. This can either be good or bad depending on what the servers and firewalls are configured to support.

 

Source

Link to comment
https://linustechtips.com/topic/404532-ftp-outside-lan/#findComment-5453905
Share on other sites
Link to post
Share on other sites
Posted
  • Author

Passive FTP

In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode.

In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1023 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1023) and sends P back to the client in response to the PASV command. The client then initiates the connection from port N+1 to port P on the server to transfer data.

From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:

  • FTP server's port 21 from anywhere (Client initiates connection)
  • FTP server's port 21 to ports > 1023 (Server responds to client's control port)
  • FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server)
  • FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)
When drawn, a passive mode FTP connection looks like this:

passiveftp.gif

In step 1, the client contacts the server on the command port and issues the PASV command. The server then replies in step 2 with PORT 2024, telling the client which port it is listening to for the data connection. In step 3 the client then initiates the data connection from its data port to the specified server data port. Finally, the server sends back an ACK in step 4 to the client's data port.

While passive mode FTP solves many of the problems from the client side, it opens up a whole range of problems on the server side. The biggest issue is the need to allow any remote connection to high numbered ports on the server. Fortunately, many FTP daemons, including the popular WU-FTPD allow the administrator to specify a range of ports which the FTP server will use. See Appendix 1 for more information.

The second issue involves supporting and troubleshooting clients which do (or do not) support passive mode. As an example, the command line FTP utility provided with Solaris does not support passive mode, necessitating a third-party FTP client, such as ncftp.

NOTE: This is no longer the case--use the -p option with the Solaris FTP client to enable passive mode!

With the massive popularity of the World Wide Web, many people prefer to use their web browser as an FTP client. Most browsers only support passive mode when accessing ftp:// URLs. This can either be good or bad depending on what the servers and firewalls are configured to support.

Source

That seems confusing, and I don't know what to do from that
Link to comment
https://linustechtips.com/topic/404532-ftp-outside-lan/#findComment-5454000
Share on other sites
Link to post
Share on other sites
Posted

I will try this, however it's the Pi is in a DMZ

 

  1. I seriously doubt it's *actually* in a DMZ.
  2. Why is it in a "DMZ" inside your home network. That's not necessary.
  3. What does the firewall look like on the Pi? (iptables --list)
  4. What does your FTP server config look like?

--Neil Hanlon

Operations Engineer

Link to comment
https://linustechtips.com/topic/404532-ftp-outside-lan/#findComment-5454023
Share on other sites
Link to post
Share on other sites
Posted
  • Author
  • I seriously doubt it's *actually* in a DMZ.
  • Why is it in a "DMZ" inside your home network. That's not necessary.
  • What does the firewall look like on the Pi? (iptables --list)
  • What does your FTP server config look like?

The DMZ is for Plex to allow remote access.

How can I see my configuration?

Link to comment
https://linustechtips.com/topic/404532-ftp-outside-lan/#findComment-5454028
Share on other sites
Link to post
Share on other sites
Posted

I have that talktalk router and ran it for a few days before I chucked it aside. Port forwarding really doesn't work well at all. Dynamic dns is broken and also truncates the last 2 characters of your password. Huawei HG633 right?

 

I suggest buying a HG612 modem and buying an off the shelf consumer router AP combo. That hardware from TalkTalk is broken shit.

Comb it with a brick

Link to comment
https://linustechtips.com/topic/404532-ftp-outside-lan/#findComment-5454930
Share on other sites
Link to post
Share on other sites
Posted

 

You're going to need to run iptables as root.

 

sudo iptables --list

 

You really don't need a "DMZ" for plesk...

 

I don't know what FTP server you're running, so I can't tell you where to look for your configuration.

--Neil Hanlon

Operations Engineer

Link to comment
https://linustechtips.com/topic/404532-ftp-outside-lan/#findComment-5457544
Share on other sites
Link to post
Share on other sites
Posted

Still not working, have turned off router firewall, and all the ports are open now. What would be the next step? because I still cannot connect via FileZilla

 

That's pretty much everything you could do, next I would look into your router firmware see if there  is a port forwarding issues or bugs.

First try updating the firmware.

If that still not working I would try completely different router. 

Link to comment
https://linustechtips.com/topic/404532-ftp-outside-lan/#findComment-5470060
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Networking

×