IPFW FTP - can't list directories when firewall on

Hello,

I think it's known problem but I can't still resolve it. When I turn off my firewall ftp works good but when I turn it on again can't list directory.

I'm using these rules for ftp:
Code:
#!/bin/sh
# ipfw config/rules
# from FBSD Handbook, rc.firewall, et. al.

# Flush all rules before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add "
vif="em0"
# allow all for localhost
$cmd 00010 allow ip from any to any via lo0

# checks stateful rules.  If marked as "keep-state" the packet has
# already passed through filters and is "OK" without futher
# rule matching
$cmd 00101 check-state

# allow FTP
$cmd 00107 allow tcp from any to any 21 setup keep-state
$cmd 00108 allow tcp from any to any 20 setup keep-state

I have one additionally ip where jail working.
Code:
 inet 91.121.X.X netmask 0xffffff00 broadcast 91.121.78.255
 inet 79.137.X.X netmask 0xffffffff broadcast 79.137.46.236

79.137.X.X (jail ip) -> pure-ftpd (21)

Someone can help me ?
 
Not being able to list directories hints at the data port being blocked. It looks like you opened post 20 (ftp-data) but many FTP servers use Passive FTP these days, so basically a specific range of ports above 1024. If thats the case with your FTP server it would explain this behavior.
 
Hmm. But it's active port no passive. For example under linux with iptables (active and pure-ftpd and protftpd) it works with only 20 and 21 opened ports but its important to load conntrack module. Thats all. Under IFPW i need to open such range ports ?
 
The conntrack_ftp module on Linux keeps track of the FTP PORT commands and opens ports dynamically. You can achieve the same using ftp-proxy(8) and PF.

But I would suggest not using FTP at all, not only is it notoriously tricky to firewall it also uses clear text authentication. Instead I would suggest using SFTP, which is basically FTP over SSH. This only requires access to port 22, it has a lot better authentication and uses encryption. A lot of Windows/macOS FTP clients (like FileZilla) have support for SFTP. So it works just like regular FTP.
 
Try with these rules

Code:
# allow FTP
$cmd 00107 allow tcp from any to any 21 in setup keep-state
$cmd 00108 allow tcp from any 1024-65535 to any 20 in setup keep-state
 
Try with these rules

Code:
# allow FTP
$cmd 00107 allow tcp from any to any 21 in setup keep-state
$cmd 00108 allow tcp from any 1024-65535 to any 20 in setup keep-state

It still doesn't work. Always stop on "list directories" :((
 
For completeness, the rule suggested above is wrong.

Active FTP creates a data channel FROM the server TO the client. The server uses the SOURCE PORT 20/TCP. So the rule suggested above should allow from port 20 (which may not even be needed if the FTP server is trusted to talk to the outside).
To wit: Active FTP is server firewall friendly. All you need is to allow 21/TCP in (if inside->outside is already allowed). However it's client firewall unfriendly.

Conversely, passive FTP creates a data channel TO the server FROM the client; the same direction as the original control channel.
To wit: Passive FTP is client firewall friendly. If inside->outside is already allowed then no further configuration is required. However at the server side you need to allow and possibly NAT both 21/TCP and x/TCP, where x is unknown to the server firewall unless it can inspect the FTP control traffic to glean the port suggested to the client to which to connect. One reasonable fix for this is to limit the ports that the server suggests. In ProFTPD the directive PassivePorts 40000 40001 will allow you to allow and NAT only three ports 21/TCP, 40000/TCP and 40001/TCP. I do this on my FTP server, and even connecting multiple times from the same client, I only see port 40000 being used for data (these circuits are unique because of the client's source port).
 
Back
Top