Linksys WRT54G and passive FTP server (PASV)

I replaced my old linksys router with a new WRT54G. I wanted one of the
boxes on my LAN to be an FTP server that could also handle PASV
connections. So I tried to set it up the way it was before on my old
router, which is the usual way.

I configured the new router to forward port 21, as well as ports
5000-5999 to the LAN IP address of the box hosting Guild FTP daemon.
The Guild FTP daemon was setup as always to do passive FTP, which means
that I had gone into advanced settings and set the PASV IP address to
be the external address of my WAN, which in this case was the DHCP
address given to me by my cable company. Guild FTP was also setup to
use ports 5000-5999 for PASV.

Well, it turns out that it did not work! I found a post that said that
it can be fixed by using port triggering, which is to say that port 21
was triggered to 5000-5999. That fixed the problem for sure, but that
should not be necessary, and it also BROKE my outbound FTPs from a
different box on my LAN.

So I started thinking about it, and I wondered if the problem wasn't
that maybe, just maybe, linksys got wise and built this new router to
handle passive FTP without having to do port forwarding on the PASV
ports. Just on port 21.

So I set it up like this, and it works now.

To setup an internal host for PASV and active FTP:
(It seems that the WRT54G version 6 is smart enough to handle passive
FTP now
without explicitly setting a port range forward OR trigger for the PASV
ports > 1024)
--------------------------------------------------
1) Set Port Range Forward for port 21 to 21 for internal IP address of
FTP server. TCP protocol.
2) Set IP address in PASV settings of FTP server to Internal (LAN)
address
3) Set port range in PASV settings of FTP server to 5000-5999 (or
whatever you want it to be.)

Note that the Guild FTP daemon advanced options for PASV now has an IP
address of the internal LAN address of the FTP server. IIS does not
have this option, and that was a problem in the past for doing this.
But now that the linksys does all of this for you, it means that it
(passive FTP server capability ) should also work with IIS.

-Bill

.

Relevant Pages

  • Re: IPSwitch, Inc. WS_FTP Server
    ... > bounce attack as well as PASV connection hijacking. ... > The FTP bounce vulnerability allows a remote attacker to cause the ... > anonymously along with any internal addresses that the FTP server has ... That means it's got to handle a PORT ...
    (Bugtraq)
  • Re: ipnat port-range
    ... Ipnat and FTP PASV is covered extensively in the ipfilter howto on ... pass out quick on external_interface proto tcp from any port 1023>< 2025 to ...
    (freebsd-questions)
  • Re: Internet Explorer Keeps Timing out on FTP
    ... >> This is a problem with the FTP client. ... I have not started the FTP server ... > client chooses which method to use, by sending either a PORT or PASV ... > command to the server. ...
    (microsoft.public.inetserver.iis.ftp)
  • RE: RMF Spreadsheet Reporter
    ... >PORT statement below do not match my target FTP server.. ... The IP address in the PORT command is the IP address of the FTP *client* ... For IBM-MAIN subscribe / signoff / archive access instructions, ...
    (bit.listserv.ibm-main)
  • RE: Telnet/ftp problems SBS2000
    ... Please make sure your client computers are configured as both Firewall ... will find two options "Enable folder view for FTP sites" and "Use Passive ... that the control connection has been successfully established, ... (other than port 21) ...
    (microsoft.public.windows.server.sbs)