User profile for user: Zorba_le_grec
Zorba_le_grec Author
User level: Level 3
581 points

How to FTP behind a Mac with Internet sharing?

I'm using a Mac (A) as a firewall to my AirPort network.
The firewall is the one coming with the system (i.e. ipfw).
The Internet sharing is activated.
Mac A is running Tiger 10.4.6.

Another Mac (B) is connected by sharing the Mac A connection.
Mac B is running any MacOS X (in fact I have many Mac B
behind this Mac A).

How may I configure the system firewall on A so as to be
able to perform an FTP from B toward the outside?

--
dan

Posted on Apr 25, 2006 3:15 PM

Reply
8 replies
User profile for user: Kiwi Graham
Kiwi Graham
User level: Level 4
1,880 points

Apr 26, 2006 1:59 AM in response to Zorba_le_grec

Hi Dan,

The firewall prevents incoming connections getting through to Mac B, so what you have to do is make sure that all connections are outgoing ie. initiated by the FTP client running on Mac B.

The default for most FTP servers is to run in "Active" mode which means that after the client makes a request the server tries to open a data channel on the client. Hence you have to set your FTP client to tell the server to run in "Passive" mode. In this case the server asks the client to open a data connection to the server. Whereabouts you have to make this Passive setting will depend on the FTP client you are using.

Reference: http://slacksite.com/other/ftp.html

Graham

PBooks 1Ghz & 1.67Ghz, iMac 800Mhz, iBook 300Mhz, iPod mini & shuffle Mac OS X (10.4.6) Netgear ADSL WiFi, Airport Graphite, Squeezebox, SonyEricsson K750i, Zire71
Reply
User profile for user: Zorba_le_grec
Zorba_le_grec Author
User level: Level 3
581 points

Apr 26, 2006 3:05 AM in response to Kiwi Graham

[...]
The default for most FTP servers is to run in
"Active" mode which means that after the client makes
a request the server tries to open a data channel on
the client. Hence you have to set your FTP client
to tell the server to run in "Passive" mode. In
this case the server asks the client to open a data
connection to the server. Whereabouts you have to
make this Passive setting will depend on the FTP
client you are using.


Hello Graham, and thank you for this detailed reply.

I'm using the standard MacOS X FTP: ftp.
Its man page tells:<pre>...
-A Force active mode ftp. By default, ftp will try to use passive
mode ftp and fall back to active mode if passive is not sup-
ported by the server. This option causes ftp to always use an
active connection. It is only useful for connecting to very old
servers that do not implement passive mode properly.
...</pre>

I don't understand why it isn't working correctly.
On Mac A, I've added a specific FTP rule to the Firewall,
but unfortunatelly it is incomplete. And it doesn't let
passive FTP go through Mac A:<pre>
Port Name: Other
TCP Port Number(s): 20-21
UDP Port Number(s):
Description: FTP </pre>

Should I put:<pre>
Port Name: Other
TCP Port Number(s): 20-21, 1024-65535
UDP Port Number(s):
Description: FTP </pre>

Isn't there a more fine grained solution to allow FTP to
pass through Mac A, without allowing at the same time all
the incoming TCP connections?
Reply
User profile for user: Kiwi Graham
Kiwi Graham
User level: Level 4
1,880 points

Apr 26, 2006 8:33 AM in response to Zorba_le_grec

OK, my understanding of the OS X firewall is that it does not automatically open up all ports for "relay" when you have internet sharing turned on.

In other words it is treating your own internal network as potentially hostile, just like the external internet.

Therefore, yes, you need to open your firewall on Mac A for those FTP ports BUT only for requests coming from your internal network - which is probably something like 192.168.x.y

(My apologies for forgetting this - I use the Norton Firewall which automatically configures itself to allow those connections when Internet Sharing is turned on.)

Graham
Reply
User profile for user: Zorba_le_grec
Zorba_le_grec Author
User level: Level 3
581 points

Apr 26, 2006 2:22 PM in response to Kiwi Graham

OK, my understanding of the OS X firewall is that it
does not automatically open up all ports for "relay"
when you have internet sharing turned on.


Exactly!

In other words it is treating your own internal
network as potentially hostile, just like the
external internet.

Therefore, yes, you need to open your firewall on Mac
A for those FTP ports BUT only for requests
coming from your internal network - which is probably
something like 192.168.x.y


Yes and it's working fine this way.

Unfortunatelly, when you open FTP access this way on a
Mac which is sharing its connection,
you can't distinguish the interface on which
this access is open through the GUI.

--
dan
Reply
User profile for user: Zorba_le_grec
Zorba_le_grec Author
User level: Level 3
581 points

Apr 27, 2006 9:39 AM in response to Kiwi Graham

Sure you can set up SCP or SFTP if you are running
the server, but if you are the client you have
to go with what the server owner has running.

To get better granularity/specificity on the IPFW
firewall via a GUI one can use the highly recommended
shareware program Flying Buttress.


Thank you for this precious information.
Tested, working, great!

Do you know any firewall that may automatically
switch from configuration to configuration when
I'm switching network locations.
(I switch through a lot of these configurations:
work, home, friends, airport, trash-net...)


--
dan
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

How to FTP behind a Mac with Internet sharing?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up