a m8 of me is behind a router and some times he can't entering passive mode on a ftp.. if he don't use the router the problem is gone..

what ports needs to be forwarded to enter pasv mode suc6full?

two random unprivileged ports locally (N > 1024 and N+1)

Umm yeah. I have no idea what dissolutions said, but I am really hung over and coming down from some other drugs(WEED).

Basically in passive mode you are listing on a port waiting for the ftp server to connect to you. If you know anything about routers you know that they function around a technology called a NAT. This means that you *can't* listen on a port. What it does is take one ip address, and allow multiple NIC's to be on that on ip address. One reason why this became popular was because of the IPv4 shortage. It accomplishes this by allowing outgoing communication then piping the corresponding incoming communication to that NIC. Basically what he needs to do is connect to his router. Tell him to go to 192.168.1.1 or 192.168.0.1 (192.168.100.1 is my cable modem, it might be yours too! try doing a ping sweep to find it.) Anyway, it probably has a default password so RTFM! Then look for something called Application port or something, different routers have different names for it. What it does it pipe the first SYN to all the NIC's on the network and if someone responds with a SYN/ACK then a tunnel is made. If you can't find that then look for Port Forwarding, that automatically forwards all traffic on that port to the network ip address you specify. That might get annoying if your local ip address changes, it will vary between routers. Some routers are really good at not doing that, they remember your mac address and give you the same ip address every time you send out a ARP broadcast. Finely you can can set your computer as DMZ host. Not only would you have to change this if your ip address changes but it leaves you open to the big bad Internet.

Routers have stooped hundreds of thousands of hacks. I mean shit if someone is going to hack you and sees that you don't have any ports open what is he supposed to do?(there are other ways but still). Routers are great at stopping port based worms. They can't spread when they can't find a vulnerable open port. True routers do stop you from getting any proof that an attack took place, but 99.9% of the public doesn't know how to report a hacker anyway.


peace

Nice explanation about routers FireAlwaysWorks but i'm still interested about "wich ports need to be forwarded to the FTP server for the passive mode"....

secondly, the modem doesn't have a private IP here...

i'm interested about PASV mode behind the router because currently, the only solution I have is too block it.. (in serv-u)

tekhead

serv-u uses radom passive ports
however, you can set the option to limit the pasv port range (Local Server/Settings/Advanced and then PASV Port Range)
and then open this range in his router
don't know if it'll work...

i just usaly go in to flashfxp and tick the box NAT and i get in

so, we choose a range of pasv ports, setup them in serv-u and configure the rooter to forward this range to the box?

- wich "zone" of port range should we privilige?
- how big? (100 ports, 500 ports?)

btw, in serv-u 4.1 the only option about pasv mode talk of "IP adress" and not ports range... take a look at the screenshot

tekhead

i'm using vsftp(linux) behind a firewall. when the server is entering passive mode, i only port foward a single high ports which is 2024. and it works perfectly.it didn't work on IIS 5.0( it goes like from 1025 or something to higher and higer), but i heard in IIS 6.0 you can configure the range of high ports for passive mode. don't know about a server-u. hope this helps

so only 1 port above the 1025 is enough?

i use 50000 - 50100 on a Bftp sever works like a champ. Thats all can sugest but id say u want at least 100 ports allocated to it not sure y but thats what i was told the kid who told me is sadly no longer with us. but Thats another story hope it helps.