Ipfilter Questions: passive ftp / ipf.conf reload problem

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
Posts: 168
Joined: Fri Nov 28, 2003 11:12 am
Location: Gothenburg / SWEDEN

Ipfilter Questions: passive ftp / ipf.conf reload problem

Unread postby makkan77 » Thu Mar 31, 2005 1:55 am

I have recently installed ipfilter and now I want to be able to run an ftp server on my machine.

As I noticed just opening port 21 isn't enough, either I go passive or I go active FTP and open the necessary ports.
So I googled and found out that passive is perhaps the best way to go, and then I googled some more to find this page:

This page told me how to set up access to my ftp server in ipfilter in either active or passive mode. The following was what I found for passive mode.

Code: Select all

pass in quick proto tcp from any port > 1023 to <server-ip> port = 21 flags S keep state
pass in quick proto tcp from any port > 1023 to <server-ip> port 15000 ><15501 flags S keep state
block in  from any to any
block out from any to any

I understand the first two lines, and edited them accordingly.

Code: Select all

pass in quick on ec0 proto tcp from any port > 1023 to any port = 21 flags S keep state
pass in quick on ec0 proto tcp from any port > 1023 to any port 15000 >< 15501 flags S keep state

But these two lines I don't really know what they do so I commented them out. I already have a ipf.conf file that I got from joerg (also the one who insisted that I should installed ipfilter) and I assume that this file has some general blocking.

Code: Select all

#block in  from any to any
#block out from any to any

My question is, what do they do and why are they included in the same code as the other two lines.

That was the ftp problem.
Now for my other question, in the ipf.conf file I got as a base there were some pass rules for http and https, but I dont' need these, so I commented them out. But when I reload ipf it closes everything for some reason. Not even ssh and ftp is open anymore. Why is it so?

The original code, I commented out the lines with port 80 and 443.

Code: Select all

#Open Connections from the Internet
#We need ssh, http + https
pass in quick on ec0 proto tcp from any to any port = 22 keep state
pass in quick on ec0 proto tcp from any to any port = 80 keep state
pass in quick on ec0 proto tcp from any to any port = 443 keep state
Behold my spermlogo, for it is I: Quick, Ambitious, creative and a tad bit sexually oriented.
[SGI Indigo2 R10K | High Impact | Indigo2 Video for IMPACT with indycam | Irix 6.5.22m]

User avatar
Posts: 2229
Joined: Thu Jan 08, 2004 6:57 am
Location: In an origin rack - Germany

Unread postby joerg » Sun Apr 03, 2005 9:33 am

FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20.

In active mode FTP the client connects from a random unprivileged port (N > 1024) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.

In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode.

In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1024 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1024) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.

Short Overview about the 2 modes:

Code: Select all

 Active FTP :
     command : client >1024 -> server 21
     data    : client >1024 <- server 20

 Passive FTP :
     command : client >1024 -> server 21
     data    : client >1024 -> server >1024


User avatar
Posts: 2933
Joined: Fri May 09, 2003 6:10 am
Location: Maryland, USA

Unread postby squeen » Sun Apr 03, 2005 12:02 pm

Interesting reading. Thanks joerg.

User avatar
Posts: 136
Joined: Sun May 04, 2003 12:50 pm
Location: Germany, TX

Unread postby friedbits » Sat Aug 13, 2005 9:36 am

As Joerg pointed out, passive ftp is just not a nice protocol to firewall.

It is of course a common problem and so it is outlined in the IPF FAQ:
which is a rather good document, as well as the ipf howto at

I used IPF quite extensively and had some installations at customers, when I was still in the network business, until PF matured on OpenBSD.

One thing I rather like about pf and IPF is the human readable config file. I get cold shudders just thinking about having to debug one more fugly ipchains or iptable script.

so long
When you know that your time is close at hand, maybe then you’ll begin to understand - life down there is just a strange illusion.
Iron Maiden - Hallowed be thy Name

Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 1 guest