Spidy has asked for the wisdom of the Perl Monks concerning the following question:

I've built myself a script to handle all of my FTP functions, and I'm using the Net::FTP module to handle it all. I've got $ftp = Net::FTP->new("$domain")) to connect to a user-provided domain, but the script always freezes up while storing the file that it's uploaded. It will also drop the size of the file that it's supposed to be overwriting to 0 bytes, before completely stopping. Eventually it times out, and I'm left to go find an FTP client to use. Does anyone know which port I would have to allow things to pass through under my network options that would let this work? I've tried 20 and 21, they both did nothing. Turning the firewall completely off DID work, but I'd rather have SOME security.
My Website

Replies are listed 'Best First'.
Re: Mac FTP/Firewall security question...
by atcroft (Abbot) on Sep 15, 2005 at 00:02 UTC

    Would the FTP connection in passive mode work better? FTP has always seemed to me to be a little odd, and seemed a little touchy sometimes with firewalls that don't look at related connections. (I am not sure about the Mac firewall, but I do recall that iptables has a module specifically for FTP.) Don't know that that is much help, but hope it does, and good luck.

[reply]
      I'm already doing it in passive transfer mode, but that hasn't changed anything either. Thanks for the tip, though.
      My Website
[reply]
        This is a pretty random guess, but the last time I had scripted FTP going through a firewall, I had to set it to use passive FTP, with a timeout of zero seconds. Somehow that fixed the problem.

        ($_='kkvvttuu bbooppuuiiffss qqffssmm iibbddllffss')
        =~y~b-v~a-z~s; print
[reply]
More on FTP Connections and Firewalls
by ikegami (Patriarch) on Sep 15, 2005 at 01:43 UTC

    Before we get started, you may want to refer to FTP Connections and Firewalls, a node I wrote a while ago, for details on active and passive mode.

     

    There are four scenarios:

    1) Neither end is behind a firewall.

    2) If the client end is firewalled,
    you need to use passive mode, and
    the firewall must allow outgoing connections to and from random ports.

    3) If the server end is firewalled,
    you need to use active mode,
    the firewall must allow incoming connections to port 21 from random ports, and
    the firewall must allow outgoing connections to and from random ports.

    4) If both ends are behind firewalls, you screwed.

    Alternatively, all of the above can potentially be solved by running a FTP proxy on the firewall may be an alternate solution. I'm not very familiar with their workings, but I could take an educated guess if you desire.

     

    There's two reasons for the above.

    1) FTP servers/clients usually use a random (i.e. system provided) port for the server end of the data connection (i.e. client for active, server for passive), which is a big no-no for firewalls.

    2) FTP sends an IP address in the data stream, which is a big no-no for NAT. [*]

    They both prevent a sever behind the NAT router from using passive mode, and they both prevent a client behind a NAT router from using active mode.

    [*]
    Some NAT routers compensate for this in part or in whole. For example, the Linksys BEFSR41 (4 port wired NAT "router" switch) fixes active mode when communicating with outside servers on port 21.
[reply]
Re: Mac FTP/Firewall security question...
by Nkuvu (Priest) on Sep 15, 2005 at 00:15 UTC
    How are you controlling the firewall? The System Preferences object is just a front end to ipfw, so to get really fine-grained control of the firewall I've found it's easier just to use the command line. But when you're using the command line, the System Preferences pane will complain that you're using "other firewall software," so it seems you'll have to choose fine-grained control or a GUI control.

    The standard ports for FTP are both 20 and 21 (one for data, one for commands). You can see a list of the standard port numbers and protocols in the file /etc/services (which is a duplicate of this online file).

    In regards to the Perl script, what functions does it handle? Are you just uploading/downloading, or are you attempting to handle incoming FTP requests as well?

[reply]
[reply]
Re: Mac FTP/Firewall security question...
by zentara (Cardinal) on Sep 15, 2005 at 11:15 UTC
    I'm using linux, and my firewall script needs to specify how to use the "high-ports" when using active ftp. This is part of the configuration file from the SuSE-firewall2 scripts. You need to figure out how to make your firewall handle incoming high ports, for established ftp connections. 
    # 11.)
# How is access allowed to high (unpriviliged [above 1023]) ports?
# 
# You may either allow everyone from anyport access to your highports 
+("yes"),
# disallow anyone ("no"), anyone who comes from a defined port (portnu
+mber or
# known portname) [note that this is easy to circumvent!], or just you
+r
# defined nameservers ("DNS").
# Note that if you want to use normal (active) ftp, you have to set th
+e TCP
# option to ftp-data. If you use passive ftp, you don't need that.
# Note that you can't use rpc requests (e.g. rpcinfo, showmount) as ro
+ot
# from a firewall using this script (well, you can if you include rang
+e
# 600:1023 in FW_SERVICES_EXT_UDP ...).
#     
# Choice: "yes", "no", "DNS", portnumber or known portname, defaults t
+o "no"
#         if not set
#   
# Common: "ftp-data", better is "yes" to be sure that everything else 
+works :-(
FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"

    [download]
    ##############################################

    and the firewall control bash script uses the above with

    ############################################# 

    for j in $FW_ALLOW_INCOMING_HIGHPORTS_TCP; do
        case "$j" in
            no) ;;
            yes)
                for CHAIN in input_int input_dmz input_ext; do
                    $LAC $IPTABLES -A $CHAIN -j LOG ${LOG}-ACCEPT -p t
+cp --dport 1024:65535 --syn
                    $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}-ACCEPT -p t
+cp --dport 1024:65535
                    $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state 
+NEW,ESTABLISHED,RELATED -p
                done
                DONE_ALL=yes

    [download]
    I'm not really a human, but I play one on earth. flash japh
[reply]
[d/l]
[select]

Back to Seekers of Perl Wisdom