opening ports

Mon Dec 11 02:28:37 UTC 2006

On Monday 11 December 2006 05:48, Bruce wrote:

> 1) How would I open ftp ports after doing an apt-get install proftpd?

Ports aren't really "open" or "closed" - services either listen on a port or 
they don't.  If a service is listening but blocked by a firewall, it is said 
to be closed.  If it's listening and not blocked (ie allowed), it's open.  
Having said that, in your case, if proftpd was running and listening on port 
21, then your problems lay either with the firewall you are behind, or the 
router.

FTP is an evil protocol that has many traps.  Specifically when using passive 
mode FTP.  Basically when a client switches to passive mode, the FTP server 
(proftpd) sends a special message telling the client what port and IP to 
reconnect back to.  Here's the problem  - most firewalls have no idea that 
the incoming connection from the client to server (passive mode) on the high 
port is actually part of an existing session, and will block it.

If you have control of the firewall, you need to tell it to allow "related" 
connections.  If your firewall is also using NAT, you will need to load the 
ip_nat_ftp module which looks for the special passive mode packet 
instantiation messages from the ftp server and automatically inserts the new 
IP+port in the state table as being "related".  So as long as you allow 
connections that are in a "related" state, you're sitting pretty.

If you're using ACTIVE ftp, then you should be ok, as long as you open ports 
TCP/20+21 on your firewall between the outside world and your FTP server - 
NAT shouldn't cause any major problems in active mode.

> 2) What is the initial port configuration for Dapper Drake and how do we
> control the opening and closing of ports for various "apt-get"  packages
> and for "home brew" code such as perl networking code development?

You don't need to.  By default, Ubuntu doesn't have any server processes 
listening on any external ports.  As you install, configure, and START new 
servers (like OpenSSH and ProFTP) you should see them listening like this:

netstat -tadln | egrep "^Proto|LISTEN"
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN

This is my workstation in the office - CUPS (:631) and Postfix (:25) are 
listening on the loopback and ssh (:22) is listening on ALL interfaces 
(0.0.0.0 is the "all interfaces" wildcard).  When I did the dump above, there 
was nothing connected to any of the servers, but here is how it looks when 
something is connected:

netstat -tadln
...
tcp       0      0 10.10.10.178:22         10.10.10.183:56476      ESTABLISHED
...

My machine's IP is .178 and my laptop is .183.  So from the above line, you 
can see that 10.10.10.183 connected to 10.10.10.178 on port TCP/22.  The 
source port on 10.10.10.183 is 56476.  Lots of good info from netstat :)

BTW, when you say "sftp" do you mean OpenSSH or FTP over SSL/TLS?  Both are 
relatively slower than unencrypted datastreams but OpenSSH is trivial to 
setup (only need to open TCP/22 on your firewall) whereas FTP over SSL is 
just as complex as un-encrypted FTP except it uses TCP/989+990 and also needs 
an SSL certificate etc.

HTH,

James
-- 
* TwingyAFK is shopping for 17" flat panel
* aav sells TwingyAFK a piece of plywood