PASV Port Forwarding

Home Forums General Firewall Help PASV Port Forwarding

  • This topic is empty.
Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #28076
    otsoroke
    Participant

    Grant… Or someone else who can point me in the right direction:

    During the weekend past, I had forwarded the ports 1025 – 3500 on my router to the server in which my FTP (Cerberus) resides.

    In doing so, this morning our staff arrived at the office and quickly alerted me to the fact that all systems on our internal network had lost internet connectivity. It was vey odd that all of the servers were available to the public from the outside, yet no-one from the inside could get out. In any way.

    After considering the steps I had taken to migrate my FTP server to Cerberus over the weekend, I realized that the PASV port range in which I had forwarded had been the cause of the problem. These ports were in conflict with the ports necessary for many Microsoft system services, as well as commony know applications, in my case MS SQL 2000.

    My question is this. Given that these ports are conflicting, Is it possible to set the PASV Port Range in the Avanced Server Configuration to accept PASV data connections on ports which may not commonly be allocated to known applications (ex. 20000+) and subsequently forward these ports on our firewall / router to the FTP server address? If this is the case, how many ports (range of ports) should exist to ensure that all connections to the FTP server can use the PASV transfer option?

    I have noticed in using this server with no PASV ports forwarded, that when transferring multiple files (more than 50) through a GUI, that the connection stalls after 15 – 20 files. I was able to correct this problem by forwarding the PASV ports, but unfortunately took my entire internal network’s internet connectivity down in the process.

    I hope you can offer some suggestions.

    Best Regards,

    Owen (otsoroke)

    #31351
    Anonymous
    Participant

    Hello,

    There should be no problem selecting higher port to use for PASV transfers. Depending upon file transfer frequency, I would recommend around 500 -1000 ports. Go higher if people are having connection issues.

    #31352
    otsoroke
    Participant

    What port range could be reserved that likely wont conflict with other applications?

    otsoroke

    #31353
    otsoroke
    Participant

    I checked for port assignments, and found a resource at ftp://ftp.iana.org/assignments/port-numbers” class=”bbcode_url”>ftp://ftp.iana.org/assignments/port-numbers.

    This document shows current port assignments. However, it does not make any reference to reserved port assignments for PASV FTP connections.

    Judging… I would say that the port assignments should be configured in the Private / Dynamic port range 49152 through 65535.

    Can anyone offer me suggestions?


    PORT NUMBERS

    (last updated 2004-03-25)

    The port numbers are divided into three ranges: the Well Known Ports,

    the Registered Ports, and the Dynamic and/or Private Ports.

    The Well Known Ports are those from 0 through 1023.

    The Registered Ports are those from 1024 through 49151

    The Dynamic and/or Private Ports are those from 49152 through 65535


    #31354
    Anonymous
    Participant

    bounce…

    #31355
    otsoroke
    Participant

    bounce…

    #31356
    imported_Serin
    Participant

    Hello,

    The ports you suggested earlier (49152 through 65535) should be fine. Actually, I’m usually ok with anything over 2000.

    #31357
    Twowheeler53
    Participant

    Ok… I’m going to ask a silly question. How do you forward ports to the server?

    #31358
    otsoroke
    Participant

    In your router configuration Twowheeler…

    No question is a silly question.

    Regards,

    Owen (otsoroke)

    #31359
    Anonymous
    Participant

    hi,

    quick green question.. have a linksys router setup with zone alarm PFW

    for PASV connections, does it suffice for me to just forward 1024 – 3500 on the router config and open those same ports in the firewall?

    for the router, i assume i can forward the range of ports to the destination pc’s ip?

    also, is there anyway to authenticate the users (aside from a logon verification) before opening the ports.. i.e. lockdown all ports except 21 until user authenticates, then open ports 1024-3500.

    thanks a million,

    s

Viewing 10 posts - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.
Close Cart

Shopping Cart