specify passive ports for ftp
Hi I have a problem using Zope passive ftp. * We have configured our firewall for high security. * The problem is using passive ftp because one can not know wich ports being used for communication. * Opening all high ports on the firewall is not an option. Is it possible to specify which ports Zope er allowed to use for passive ftp (like you edit 'ftpaccess' for other ftp servers), so that we can reconfigure the firewall for these ports? If not, are there any other way of solving this?...except for modify ftp source code. Thanks for all help! Regards Arnt-Hugo Nilsen
Arnt-Hugo Nilsen wrote:
Hi I have a problem using Zope passive ftp. * We have configured our firewall for high security. * The problem is using passive ftp because one can not know wich ports being used for communication. * Opening all high ports on the firewall is not an option.
Is it possible to specify which ports Zope er allowed to use for passive ftp (like you edit 'ftpaccess' for other ftp servers), so that we can reconfigure the firewall for these ports? If not, are there any other way of solving this?...except for modify ftp source code.
Actually, I'd be interested in even hearing ways to solve this problem that DO involve modifying the source code... I dug into the FTPServer.py code a while back to try to tackle this very problem and didn't see where the ports were being specified. Unfortunately, other matters became a bit more pressing. I'd be willing to hack up a way to set the passive ftp ports if someone would orient me a bit... -r
On 7 Feb 2002 at 23:37, ra@burningman.com wrote:
Actually, I'd be interested in even hearing ways to solve this problem that DO involve modifying the source code... I dug into the FTPServer.py code a while back to try to tackle this very problem and didn't see where the ports were being specified. Unfortunately, other matters became a bit more pressing. I'd be willing to hack up a way to set the passive ftp ports if someone would orient me a bit...
I changed the code in one of my servers to specify the pasv port range.. Now I can't remember which instance I changed, or where it was in the code. It wasn't hard, if that's any help. You need to change ZServer/medusa/ftp_server.py class passive_acceptor (asyncore.dispatcher): ready = None def __init__ (self, control_channel): # connect_fun (conn, addr) asyncore.dispatcher.__init__ (self) self.control_channel = control_channel self.create_socket (socket.AF_INET, socket.SOCK_STREAM) # bind to an address on the interface that the # control connection is coming from. self.bind (( self.control_channel.getsockname()[0], 0 )) self.addr = self.getsockname() self.listen (1) As I recall, I put a range loop to try the self.bind over a range of non-privilaged ports. I use a range in case a port is in use. Brad Clements, bkc@murkworks.com (315)268-1000 http://www.murkworks.com (315)268-9812 Fax netmeeting: ils://ils.murkworks.com AOL-IM: BKClements
Brad Clements wrote:
On 7 Feb 2002 at 23:37, ra@burningman.com wrote:
Actually, I'd be interested in even hearing ways to solve this problem that DO involve modifying the source code... I dug into the FTPServer.py code a while back to try to tackle this very problem and didn't see where the ports were being specified. Unfortunately, other matters became a bit more pressing. I'd be willing to hack up a way to set the passive ftp ports if someone would orient me a bit...
I changed the code in one of my servers to specify the pasv port range.. Now I can't remember which instance I changed, or where it was in the code.
It wasn't hard, if that's any help.
You need to change ZServer/medusa/ftp_server.py
class passive_acceptor (asyncore.dispatcher): ready = None
def __init__ (self, control_channel): # connect_fun (conn, addr) asyncore.dispatcher.__init__ (self) self.control_channel = control_channel self.create_socket (socket.AF_INET, socket.SOCK_STREAM) # bind to an address on the interface that the # control connection is coming from. self.bind (( self.control_channel.getsockname()[0], 0 )) self.addr = self.getsockname() self.listen (1)
As I recall, I put a range loop to try the self.bind over a range of non-privilaged ports. I use a range in case a port is in use.
Awesome, thanks! I'll dig in over the next few days and will post a brief note to the list after I've got it working. Anyone interested in the patch (against 2.4.2, which I'm currently running) can contact me off-list at that point. -r
participants (3)
-
Arnt-Hugo Nilsen -
Brad Clements -
ra@burningman.com