Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Using the built-in FTP server and IPFW (firewall) OS X Server
Found out your built-in FTP server isn't running as it did, after you activated the Firewall and even opened up the 20 and 21 IP ports, too? The built-in FTP server in 10.2, when using passive mode file transfers, opens an IP port which can be any one number between 1024 and 65534; the IANA registered ports for passive FTP are 49152 to 65534.

If you don't use an IP firewall (IPFW), you wouldn't notice this, but when the IPFW is switched on (specially on the server version), you find out that the whole FTP server does it's work only halfway. You can connect and get the first directory listing, but not any other listing, and starting a file transfer fails. Why, because in the IPFW we normally add only the two standard FTP ports 20 (listing) and 21(active file transfer) to open up holes to allow connections to the FTP Server.

In the Server Admin Tools, only these two IP ports are mentioned. With the Tool, you can't even set up the needed IP port range. This means without using the terminal and configuring the IPFW directly, you can't use the the FTP Server and IPFW together. It's one or the other "out-of-the-box!" After a lot of trial and error, and google'ing on the net, I found the following solution.

The first thing I found out was that the Mac OS X built-in FTP Server is not Apple's own design, it's actually an adapted WU-FTPD source to integrate it better with MacOS X. Second thing, after finding it's a WU-FTPD version, in the user manual (man files) on their website, there's an option to lock down the IP port range for passive FTP file transfers with the command passive ports cidr min max, which needs to be added to the /Library -> FTPServer -> Configuration -> ftpaccess config file. The third thing I found is that opening the firewall for the IANA registered ports for passive FTP mentioned above.

This was the short version of what needs to be done to get the FTP Server working correctly again. A full version How-To, with all the command line entries, can be found here. Hope this post is some help to other Server Admins whose FTP server isn't working correctly.
    •    
  • Currently 2.00 / 5
  You rated: 2 / 5 (10 votes cast)
 
[17,607 views]  

Using the built-in FTP server and IPFW (firewall) | 7 comments | Create New Account
Click here to return to the 'Using the built-in FTP server and IPFW (firewall)' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Using the built-in FTP server and IPFW (firewall)
Authored by: diamondsw on Aug 11, '03 11:50:53AM

Does this apply to server or client? The client FTP server is clearly lukemftpd, and will identify itself as such.

Meanwhile, there are more bugs in passive FTP. I have the port range limited to 10 ports so I can tunnel FTP through SSH. Each time you get a directory listing, transfer a file, etc, it opens a new port. The problem is that lukemftpd doesn't close these ports properly and very quickly uses all of the ports available to it. All further directory listings and transfers fail. The only solution I found was to give up on it and install pure-ftpd, which I can highly recommend.



[ Reply to This | # ]
Using the built-in FTP server and IPFW (firewall)
Authored by: Mr.D on Aug 11, '03 04:34:27PM

It's mainly for the server version, the client version has a different correct IPFW config which lets the whole 1024-65534 pasv port range through.

After having a look on a client version, it does seem that it contains a different FTP Server. But looking in the man ftp.conf this version does also support locking down IP port range for passive FTP file transfers with the command portrange class min max.
So it would seem that this hint could be used on a client version too, the general idea is the same (but haven't tested it).

The other problems you talk about I haven't come across yet. It couldn't be you have some corrupted file which is part of ftpd?



[ Reply to This | # ]
Using the built-in FTP server and IPFW (firewall)
Authored by: peterneillewis on Aug 12, '03 05:24:20AM

Are you sure the FTP server is not closing ports, or is it just the one to four minute TIME_WAIT state that a port goes in to after it is closed before it can be opened again?

See section 2.7 os this FAQ for information on TIME_WAIT:

http://unlser1.unl.csi.cuny.edu/faqs/sock-faq/html/unix-socket-faq-2.html

Enjoy



[ Reply to This | # ]
Using the built-in FTP server and IPFW (firewall)
Authored by: cyberbrent on Aug 12, '03 03:47:38AM

Mr.D

So if I did the above coding to OSX Server 10.2.6 that actually has Netbarrier installed as well to help stop the Code Red and Nimda Attacks on the server - It emails me when ever they occur - simple stupid setup so I like it.

What would I set the ports open to on Netbarrier - I presume 20 & 21 - But what else?

I have not been able to get FTP to work very well and actually gave up as even when we did get it going FTP would run terribly slow - I believe your hint may solve my problems:

If you want please feel free to email me at junkfreeATtelus.net

Regards

Brent

---
"You alone define your limitations"



[ Reply to This | # ]
Using the built-in FTP server and IPFW (firewall)
Authored by: dannydv on Aug 12, '03 09:03:45AM

In my search for FTP connectivity to my home (being a broadband cable connection from Telenet in Belgium - behind an Apple Airport Basestation) i found this solution
1. Allow remote log-in on your local machine at home,
2. Activate FTP access on your local machine
3. Map a port 'xx' to your port 22 on your local machine
4. Use a Secure FTP client on your Remote machine
like Fugu , http://rsug.itd.umich.edu/software/fugu/
in this software you specify 'xx' as port to be used for your remote connection
Quite Easy and Secure !



[ Reply to This | # ]
Using the built-in FTP server and IPFW (firewall)
Authored by: ekimsknird on Aug 14, '03 04:52:33PM

How about this: Although I did the steps in this...

http://forums.the-kingdom.net/viewtopic.php?t=92

I happened to noticed under regular older 10.2.6 OSX that one has the ability to open ports on the built-in firewall by clicking New under Sharing Prefs-->Firewall and then specifying the ports 49152 to 65534. My system now successfully allows passive ftp, but again, it could be because I did the first steps as well as the latter pref panel option.

Mike



[ Reply to This | # ]
Using the built-in FTP server and IPFW (firewall)
Authored by: molero on Aug 27, '03 10:38:32AM
Should that be a

ipfw add allow tcp from any to any 49152-65534 in via en0

or should it be restricted to the FTP ports only as in:

ipfw add allow tcp from any 20-21 to any 49152-65535 in via en0



[ Reply to This | # ]