Monday, January 11, 2010

Passive FTP on Leopard Server

I ran into some major problems today attempting to setup Passive mode FTP services on Leopard Server. I turned on FTP services using Server Admin, and I also went into the software firewall and enabled the provided rule for FTP Passive. I connected to the FTP server using the command line client from terminal without any issues, but as soon as I attempted a directory listing (ls), my ftp client would hang for about five minutes and finally return the listing.
In passive mode an FTP client connects to the server and issues a PASV command to let the server know it is in Passive mode, the server responds with a random port, within whatever the default port range that particular server uses. The client then connects to that port. In order for Passive FTP to work properly you must have that entire port range open in your server firewall.
It seems that Leopard server's default firewall rule for Passive FTP uses a subset of the ports the FTP server provided with Leopard uses. The firewall rule opens ports 49152 - 65535, while the FTP server uses ports from 1023 - 65535. The easy solution to this problem is to create a custom firewall rule and open all ports, but this is not a good idea.
The solution it turns out is to edit the FTP configuration file and specify the same range of ports as the Leopard software firewall. Although Server Admin provides some limited configuration options for FTP it does not allow you to edit the port range. You need to edit the file /Library/FTPServer/configuration/ftpaccess, I added the following line to the top of the file: passive ports 0.0.0.0/0 49152 65535, I then started and stopped FTP service using Server Admin. This solved my problem and I was able to connect to the FTP service normally.

No comments:

Post a Comment