How to set passive ftp port range on 10.4

[aphinity]

Hi there,

Maybe this is old news, but I"ve never seen this posted anywhere. Have I actually come up with a new solution?

Something that has bothered much of the mac world for some time, particularly those who have ever attempted to setup an ftp server behind a firewall or a router, is that the built-in ftp service in Mac OS X 10.4 is a stripped down, unconfigurable service with no way to configure things like passive port ranges - or so we thought.

For those who don't know, most ftp servers require a range (a very large range) of ports available for use, selected at random, whenever a connected client requests a file or directory listing outside of the root. The main ports used are ports 20 and 21, but the other randomly selected port is picked frorm anywhere between 1024 and 65535 on the OS X ftp server. Sadly, we cannot predict which one it will pick, meaning if you do not setup your router or firewall to allow access from the client to your ftp server, the transfer will fail. That means you have to open a HECK of a lot of ports to your server.

There IS a better way. You do NOT have to install another ftp service!

The service running in OS X is a variant of tnftpd or something very similar, which is configured with a file called ftpd.conf stored in the hidden /etc folder on your hard drive. There is detailed information on what you can configure the ftp server to do from within this file.

Here's the tricky part. The ftpd.conf file DOES NOT EXIST by default. If you create it, the ftp service will see it, and follow the directions in it, INCLUDING a specific passive ftp port range! Woo! Be sure to restart the service in the control panel/sharing after you modify the file.

Let's say you have your ftp server behind an apple airport extreme base station. Quickly described, here is what you have to do:

1. Enable the root user in /Applications/Utilities/NetInfo Manager and set a password.
2. Open terminal in /Applications/Utilities/ and type:

Quote: su root

.. then enter your password.
3. type:

Quote: cd /etc pico ftpd.conf

4. From within the pico text editor, type:

Quote: portrange all 49152 49155

5. Press Control-X together, type a Y to say yes to saving, and hit enter to confirm the name of the new file.
6. Go into your System Preferences/Sharing and turn off the ftp sharing, then turn it on again. You're done!

Now that you've done this, you only have to point ports 20, 21, 40152, 40153, 40154 and 40155 to your ftp server from your router, and your ftp server will work perfectly! No more problems connecting!

Enjoy!


-Rob Harrison

PS: I know ftp is insecure. Please don't hijack the thread with comments about that.

[hayne]

Quote: Originally Posted by aphinity 1. Enable the root user in /Applications/Utilities/NetInfo Manager and set a password.

There is absolutely no need to enable the root user. This is definitely not recommended.
Instead, just use 'sudo'. See this Unix FAQ

[rajulkabir]

Quote: Originally Posted by hayne There is absolutely no need to enable the root user. This is definitely not recommended. Instead, just use 'sudo'. See this Unix FAQ

What possible difference is there? You can do exactly the same smart and dumb things as root or via sudo.

[hayne]

Quote: Originally Posted by rajulkabir What possible difference is there? You can do exactly the same smart and dumb things as root or via sudo.

Well, one big advantage of using 'sudo' is that everything is logged.
And it avoids situations where you forget that you are logged in as root and mess things up.

[voldenuit]

Quote: Originally Posted by aphinity PS: I know ftp is insecure. Please don't hijack the thread with comments about that.

Good for for you that you know ftp is insecure.

How exactly would it be "hijacking" the thread by pointing out that it is a Very Bad Idea to do what you suggest security-wise ?

Grace this forum with directions how to run sftp for a change, would you ?

[aphinity]

Quote: Originally Posted by voldenuit Good for for you that you know ftp is insecure. How exactly would it be "hijacking" the thread by pointing out that it is a Very Bad Idea to do what you suggest security-wise ? Grace this forum with directions how to run sftp for a change, would you ?

Because some people don't care about security and just want a simple means to exchange files with people.

Wow.. I come up with an answer that I know others have been looking for, and I get criticism. That's just great.

[Craig R. Arko]

Thanks. Around here, many of us do care about the security of our systems and networks, so advising us to ignore that topic is not likely to go unquestioned.

[aphinity]

Quote: Originally Posted by Craig R. Arko Thanks. Around here, many of us do care about the security of our systems and networks, so advising us to ignore that topic is not likely to go unquestioned.

My whole point was that this is not meant to be a discussion about the security of the ftp protocol. The protocol is widely used, is included with the operating system, and this is a way to allow it to work for people who would like it to who happen to be behind a router.

End of discussion.

If you want security, you shouldn't use FTP. I think that point has been made many times over in other threads.

[Mikey-San]

On top of that, don't enable the root user to do something like this. You don't need it.

Code:

$ cd /etc
$ sudo pico ftpd.conf