How do I open up a port??

WildWest · 06-22-2006, 05:43 PM

Hey guys,

How do I open up a port in Panther?

hee's the situation:

I have 1 static IP address, and 2 machines that each have their own ftp server. Is there any way for me to configure my router (WGR614v6) to route incoming requests to the correct machine?

Right now in the router, I have Port Forwarding configured to forward all Port 21 and Port 80 requests to machine A, that works like a breeze.

But what can I do about machine B? I tried setting up other ports (port 1024, port 25, port 23) and it never worked.

I think this is because the ports are never really open on the mac. I used Network Utility to scan the ports and it says only 21 and 80 are open. This is because I checked the FTP and Web Sharing in the "Services" tab of the Sharing pane.

OS X Software firewall is OFF. But I did try to turn it on and create a new port. I then turned on the firewall and check the new port. It didn't work. When I scanned again the port was not open.

I there some way in the terminal to open a port that I need open?

I am using "ftp-config" from http://www.gritsch-soft.com/ on Mac OS X 10.3 for my server.

Even if I do manage to get another port working, is there any way for me to work this out so that my customers do not have to include the port number in the url address or the ftp app?

Thanks for any help!

-john

hayne · 06-22-2006, 06:35 PM

With any normal consumer-grade router, you can only configure the router to pass packets to one specific machine according to the incoming port number.
So if you have two machines that you want to have available as FTP servers, one of those machines is going to have to be configured to use a different (non-standard) port for FTP.
Yes - this means that your users will need to configure their FTP clients (if possible) to use a different port.
This is a necessity - think about it a bit. How is the router supposed to tell which machine it should send an FTP request to? All outside users use the same IP address to get to your machines - the external IP address of your router. So the only distinguishing thing is the port number that the requests comes in on.

You don't seem to have configured the FTP server on your OS X machine to use a different port. This isn't easy but I think if you search the main macosxhints site for FTP or SSH (similar issues there), you will find explanations of how to do it.

trevor · 06-22-2006, 06:45 PM

First of all, you should think very very carefully about why you need ftp. Ftp is very insecure in multiple ways, including the obvious one that it sends usernames and passwords in cleartext across the network--probably the internet depending on where you have people logging in from. You would be much wiser, if you need to transfer files in a manner similar to ftp to instead use sftp--secure ftp. This has a much easier setup--it only uses a single port unlike the confusing mess of port configurations that is ftp, it sends everything encrypted across the internet, including usernames and passwords, and it is well-hardened from crackers as part of OpenSSH. It's also already included in OS X, and trivially easy to turn on.

Second, are you sure you need two of these servers? If you really do, then you will need to set the sftp server of the second computer to listen on a different port, for example 2200, instead of the standard 22. This can be done by editing /etc/sshd_config in a Unix editor and changing
#Port 22
to remove the hash mark and put in the new port you want it to listen on, so for example
Port 2200

Then you need to make sure port 2200 on your router is forwarded to the machine B that is listening on port 2200.

By the way, you also very much need to
1. Turn on your computer firewalls,
2. Make sure your password is very long, contains a mix of upper and lower case letters as well as numbers, and would never ever be found in any dictionary, even new cracking dictionaries that make 'standard' substitutions of numbers for letters (like 3 replacing E).
3. Make sure your username is not a common name (like john).
4. And finally, you should turn off ftp and web sharing and other insecure services, unless you absolutely positively need them, and are aware of the dangers of using them.

Trevor

WildWest · 06-23-2006, 09:35 AM

Thanks guys for your responses.

Damn. So the transparency that I want is *probably* possible, but just not with the router that I currently have.

However I haven't really been able to try it yet since I can't get an answer on how to open a port. I'll try searching the main site or the forums for that.

I actually do need 2 ftp servers, so I'm going to have to get this to work in some fashion. I'm just trying to cut down on the extra work that the clients have to do to get to the machine.

Right now, I can tell the router to direct the traffic to a certain point, but I actually need that port to be open on my second computer. Apparently my expectations must change a little here.

Thanks again for the info.

bored28 · 06-23-2006, 11:47 AM

Quote:

Originally Posted by WildWest


	Thanks guys for your responses. Damn. So the transparency that I want is probably possible, but just not with the router that I currently have.

I think he was responding to hayne's suggestions whereas in order to accommodate the use of two ftp servers behind a router, one of the ftp servers would have to use a different port for ftp services. So yes, it is possible, but arduously teadous and pointless since most people use certain ftp ports for their services and thus; would require an extraordinary amount of reconfiguration to both the router and the server. I think thats where he got confused

trevor · 06-23-2006, 10:46 AM

Quote:


	Damn. So the transparency that I want is probably possible, but just not with the router that I currently have.

No, it isn't. How would you address the specific server you wanted from outside the network, unless you address them on different ports?

Quote:


	However I haven't really been able to try it yet since I can't get an answer on how to open a port. I'll try searching the main site or the forums for that.

I told you how to set sftp to listen on another port already. Please see my post above.

If you don't have a firewall on, then there's nothing to do to 'open' a port on your computer. If you have a service listening on that port, and you don't have a firewall, then it's open. If you DO decide to turn on your firewall (which I would strongly recommend), then you go to your firewall's configuration page to open the port.

Quote:


	I actually do need 2 ftp servers

Why do they need to be ftp servers, and not sftp servers?

Trevor

WildWest · 06-23-2006, 11:40 AM

Quote:

Originally Posted by trevor


	No, it isn't. How would you address the specific server you wanted from outside the network, unless you address them on different ports?

Jiminy Crickets. Why? There isn't some way to say that "www.example1.com" requests go *here* and "www.example2.com" requests go *here*. Is that really that difficult? Apparently so. But why? Sheesh.

Quote:


	I told you how to set sftp to listen on another port already. Please see my post above.

My bad. I'll take that advice.

Quote:


	If you don't have a firewall on, then there's nothing to do to 'open' a port on your computer. If you have a service listening on that port, and you don't have a firewall, then it's open. If you DO decide to turn on your firewall (which I would strongly recommend), then you go to your firewall's configuration page to open the port.

Ok, I see now.

Quote:


	Why do they need to be ftp servers, and not sftp servers?

This actually makes more sense. The client wanted their own box for security reasons as it is. Of course I should be looking to make the servers sftp. Thanks.

hayne · 06-23-2006, 12:43 PM

Quote:

Originally Posted by WildWest


	Why? There isn't some way to say that "www.example1.com" requests go here* and "www.example2.com" requests go here. Is that really that difficult? Apparently so. But why? Sheesh.*

Now to answer your question:
When one of your users (at some external computer) uses something like "www.example1.com", the program that they are using (e.g. a web browser or an FTP client program) asks their DNS servers (the ones that their computer has been configured to use) to translate that hostname into a numerical IP address. If you have ownership of the domain "example1.com" then presumably the IP address that it would be resolved to would be the external IP address of your router.
A similar thing would happen with requests addressed to "www.example2.com". If both of these hostnames translated (via DNS) to the same IP address (that of your router), then it is up to your router to be able to determine somehow which request is to be routed to computerA and which is to be routed to computerB. Most routers cannot make this sort of distinction since they only work on IP address and port number. The information about the hostname (example1 vs example2) might be embedded in the packets being sent - but not in the part that is normally looked at by the router. And it whether it was embedded in the packet at all would depend on the protocol being used.

What you could do is have all requests sent to one of your machines and then have a program on that machine look inside the packets and determine which machine is best suited to handle that request. But I'm not sure that such a program exists in the case of FTP. Maybe there are sophisticated FTP servers that can do this sort of proxying - sending on certain requests to some other FTP server. I don't know if this is a feature that exists on FTP servers.

In the case of HTTP (web) servers, you can set up "virtual domains" and "proxies" - where all requests get sent to the one web server on one machine and then that web server looks at the hostname that is embedded in the HTTP section of the packet and determines to forward it to some other machine. Note again that this is possible because the web server looks in more detail at the contents of the packet than is done by most routers.

WildWest · 06-23-2006, 01:04 PM

Quote:

Originally Posted by hayne


	First off, could you please omit the gratuitous use of words that are considered "swearing" by many people. There is no need for that here and some people may be offended. (I'm not talking about "Sheesh"). I'd appreciate it if you would edit your post to "clean it up" a bit.

Hayne, I edited the post. In no way, shape or form do I consider that "swearing". But as you mentioned, since some may be offended, and that's not what I'm looking to do, I changed it. Right now I'm just really frustrated and frankly that was the least offensive thing I could think to put there. Perhaps you should edit the quote?

Quote:


	Now to answer your question: When one of your users (at some external computer) uses something like "www.example1.com", the program that they are using (e.g. a web browser or an FTP client program) asks their DNS servers (the ones that their computer has been configured to use) to translate that hostname into a numerical IP address. If you have ownership of the domain "example1.com" then presumably the IP address that it would be resolved to would be the external IP address of your router. A similar thing would happen with requests addressed to "www.example2.com". If both of these hostnames translated (via DNS) to the same IP address (that of your router), then it is up to your router to be able to determine somehow which request is to be routed to computerA and which is to be routed to computerB. Most routers cannot make this sort of distinction since they only work on IP address and port number. The information about the hostname (example1 vs example2) might be embedded in the packets being sent - but not in the part that is normally looked at by the router. And it whether it was embedded in the packet at all would depend on the protocol being used. What you could do is have all requests sent to one of your machines and then have a program on that machine look inside the packets and determine which machine is best suited to handle that request. But I'm not sure that such a program exists in the case of FTP. Maybe there are sophisticated FTP servers that can do this sort of proxying - sending on certain requests to some other FTP server. I don't know if this is a feature that exists on FTP servers. In the case of HTTP (web) servers, you can set up "virtual domains" and "proxies" - where all requests get sent to the one web server on one machine and then that web server looks at the hostname that is embedded in the HTTP section of the packet and determines to forward it to some other machine. Note again that this is possible because the web server looks in more detail at the contents of the packet than is done by most routers.

Gothcha. That all makes perfect sense. Thanks for the info.

hayne · 06-23-2006, 01:18 PM

Quote:

Originally Posted by WildWest


	Hayne, I edited the post. In no way, shape or form do I consider that "swearing". But as you mentioned, since some may be offended, and that's not what I'm looking to do, I changed it. Right now I'm just really frustrated and frankly that was the least offensive thing I could think to put there.

Thanks. But I note that there isn't really any need to express your frustration in any form (even euphemistically) in these forums. Just ask for help, explain what you want to do and why and state what you have tried and why it didn't suffice.

And note that frustration is more likely if you set unrealistic goals and expect them to be easy to achieve. For example, I'm continually frustrated that no-one is putting millions of dollars into my PayPal account, and that no movie studios are asking me to play the romantic lead in their blockbusters.

Quote:


	Perhaps you should edit the quote?

Done

WildWest · 06-23-2006, 01:33 PM

Quote:

Originally Posted by hayne


	Thanks. But I note that there isn't really any need to express your frustration in any form (even euphemistically) in these forums. Just ask for help, explain what you want to do and why and state what you have tried and why it didn't suffice.

Nor was there any need to continue to chastise me after I'd already attempted to make right, but I'll note that you did that anyway. Do you really need a pound of flesh from me?

Quote:


	And note that frustration is more likely if you set unrealistic goals and expect them to be easy to achieve. For example, I'm continually frustrated that no-one is putting millions of dollars into my PayPal account, and that no movie studios are asking me to play the romantic lead in their blockbusters.

And note that I never asked for "the easy way". I asked for "the way". Despite your ill-fitting comparison I wasn't asking for a hand out. I only post on any message board after I've dived in, gotten my hands dirty and tried things out for myself. After numerous searches of the web, including Netgear's and Apple's own site/forums proved fruitless I came here to ask for help. Now I'll take offense at your suggestion.

I've gotten what I needed to know for now. I'll thank everyone again who posted information for me.

hayne · 06-23-2006, 01:42 PM

Quote:

Originally Posted by WildWest


	Nor was there any need to continue to chastise me after I'd already attempted to make right, but I'll note that you did that anyway. Do you really* need a pound of flesh from me?*

Sorry if I was unclear or offensive - my further note was merely attempting to explain the preferred style of communication on these forums.
And you seem to have misunderstood my note about frustration - it was addressing what I saw as your unrealistic expectations being the cause of your frustration.

bored28 · 06-23-2006, 03:25 PM

Quote:

Originally Posted by hayne


	And note that frustration is more likely if you set unrealistic goals and expect them to be easy to achieve. For example, I'm continually frustrated that no-one is putting millions of dollars into my PayPal account, and that no movie studios are asking me to play the romantic lead in their blockbusters.

Wait, you never got that $1,000,000.00 I sent you because you're just so awesome?!?!

06-22-2006, 05:43 PM	#1
WildWest Prospect Join Date: Jun 2003 Location: Milwaukee, WI Posts: 21	How do I open up a port?? Hey guys, How do I open up a port in Panther? hee's the situation: I have 1 static IP address, and 2 machines that each have their own ftp server. Is there any way for me to configure my router (WGR614v6) to route incoming requests to the correct machine? Right now in the router, I have Port Forwarding configured to forward all Port 21 and Port 80 requests to machine A, that works like a breeze. But what can I do about machine B? I tried setting up other ports (port 1024, port 25, port 23) and it never worked. I think this is because the ports are never really open on the mac. I used Network Utility to scan the ports and it says only 21 and 80 are open. This is because I checked the FTP and Web Sharing in the "Services" tab of the Sharing pane. OS X Software firewall is OFF. But I did try to turn it on and create a new port. I then turned on the firewall and check the new port. It didn't work. When I scanned again the port was not open. I there some way in the terminal to open a port that I need open? I am using "ftp-config" from http://www.gritsch-soft.com/ on Mac OS X 10.3 for my server. Even if I do manage to get another port working, is there any way for me to work this out so that my customers do not have to include the port number in the url address or the ftp app? Thanks for any help! -john

06-22-2006, 06:35 PM	#2
hayne Moderator Join Date: Jan 2002 Location: Montreal Posts: 29,279	With any normal consumer-grade router, you can only configure the router to pass packets to one specific machine according to the incoming port number. So if you have two machines that you want to have available as FTP servers, one of those machines is going to have to be configured to use a different (non-standard) port for FTP. Yes - this means that your users will need to configure their FTP clients (if possible) to use a different port. This is a necessity - think about it a bit. How is the router supposed to tell which machine it should send an FTP request to? All outside users use the same IP address to get to your machines - the external IP address of your router. So the only distinguishing thing is the port number that the requests comes in on. You don't seem to have configured the FTP server on your OS X machine to use a different port. This isn't easy but I think if you search the main macosxhints site for FTP or SSH (similar issues there), you will find explanations of how to do it. __________________ hayne.net/macosx.html

06-22-2006, 06:45 PM	#3
trevor Moderator Join Date: Jun 2003 Location: Boulder, CO USA Posts: 16,715	First of all, you should think very very carefully about why you need ftp. Ftp is very insecure in multiple ways, including the obvious one that it sends usernames and passwords in cleartext across the network--probably the internet depending on where you have people logging in from. You would be much wiser, if you need to transfer files in a manner similar to ftp to instead use sftp--secure ftp. This has a much easier setup--it only uses a single port unlike the confusing mess of port configurations that is ftp, it sends everything encrypted across the internet, including usernames and passwords, and it is well-hardened from crackers as part of OpenSSH. It's also already included in OS X, and trivially easy to turn on. Second, are you sure you need two of these servers? If you really do, then you will need to set the sftp server of the second computer to listen on a different port, for example 2200, instead of the standard 22. This can be done by editing /etc/sshd_config in a Unix editor and changing #Port 22 to remove the hash mark and put in the new port you want it to listen on, so for example Port 2200 Then you need to make sure port 2200 on your router is forwarded to the machine B that is listening on port 2200. By the way, you also very much need to 1. Turn on your computer firewalls, 2. Make sure your password is very long, contains a mix of upper and lower case letters as well as numbers, and would never ever be found in any dictionary, even new cracking dictionaries that make 'standard' substitutions of numbers for letters (like 3 replacing E). 3. Make sure your username is not a common name (like john). 4. And finally, you should turn off ftp and web sharing and other insecure services, unless you absolutely positively need them, and are aware of the dangers of using them. Trevor __________________ Eight steps to Internet unpopularity - Chris Breen.

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode	Rate This Thread:

06-23-2006, 09:35 AM	#4
WildWest Prospect Join Date: Jun 2003 Location: Milwaukee, WI Posts: 21	Thanks guys for your responses. Damn. So the transparency that I want is probably possible, but just not with the router that I currently have. However I haven't really been able to try it yet since I can't get an answer on how to open a port. I'll try searching the main site or the forums for that. I actually do need 2 ftp servers, so I'm going to have to get this to work in some fashion. I'm just trying to cut down on the extra work that the clients have to do to get to the machine. Right now, I can tell the router to direct the traffic to a certain point, but I actually need that port to be open on my second computer. Apparently my expectations must change a little here. Thanks again for the info.