opening ports
James Gray
james at gray.net.au
Mon Dec 11 02:28:37 UTC 2006
On Monday 11 December 2006 05:48, Bruce wrote:
> 1) How would I open ftp ports after doing an apt-get install proftpd?
Ports aren't really "open" or "closed" - services either listen on a port or
they don't. If a service is listening but blocked by a firewall, it is said
to be closed. If it's listening and not blocked (ie allowed), it's open.
Having said that, in your case, if proftpd was running and listening on port
21, then your problems lay either with the firewall you are behind, or the
router.
FTP is an evil protocol that has many traps. Specifically when using passive
mode FTP. Basically when a client switches to passive mode, the FTP server
(proftpd) sends a special message telling the client what port and IP to
reconnect back to. Here's the problem - most firewalls have no idea that
the incoming connection from the client to server (passive mode) on the high
port is actually part of an existing session, and will block it.
If you have control of the firewall, you need to tell it to allow "related"
connections. If your firewall is also using NAT, you will need to load the
ip_nat_ftp module which looks for the special passive mode packet
instantiation messages from the ftp server and automatically inserts the new
IP+port in the state table as being "related". So as long as you allow
connections that are in a "related" state, you're sitting pretty.
If you're using ACTIVE ftp, then you should be ok, as long as you open ports
TCP/20+21 on your firewall between the outside world and your FTP server -
NAT shouldn't cause any major problems in active mode.
> 2) What is the initial port configuration for Dapper Drake and how do we
> control the opening and closing of ports for various "apt-get" packages
> and for "home brew" code such as perl networking code development?
You don't need to. By default, Ubuntu doesn't have any server processes
listening on any external ports. As you install, configure, and START new
servers (like OpenSSH and ProFTP) you should see them listening like this:
netstat -tadln | egrep "^Proto|LISTEN"
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
This is my workstation in the office - CUPS (:631) and Postfix (:25) are
listening on the loopback and ssh (:22) is listening on ALL interfaces
(0.0.0.0 is the "all interfaces" wildcard). When I did the dump above, there
was nothing connected to any of the servers, but here is how it looks when
something is connected:
netstat -tadln
...
tcp 0 0 10.10.10.178:22 10.10.10.183:56476 ESTABLISHED
...
My machine's IP is .178 and my laptop is .183. So from the above line, you
can see that 10.10.10.183 connected to 10.10.10.178 on port TCP/22. The
source port on 10.10.10.183 is 56476. Lots of good info from netstat :)
BTW, when you say "sftp" do you mean OpenSSH or FTP over SSL/TLS? Both are
relatively slower than unencrypted datastreams but OpenSSH is trivial to
setup (only need to open TCP/22 on your firewall) whereas FTP over SSL is
just as complex as un-encrypted FTP except it uses TCP/989+990 and also needs
an SSL certificate etc.
HTH,
James
--
* TwingyAFK is shopping for 17" flat panel
* aav sells TwingyAFK a piece of plywood
More information about the ubuntu-users
mailing list