User profile for user: grandinetti
grandinetti Author
User level: Level 1
8 points

ftp port forwarding problem?

I am trying to set up my mac mini as an ftp server (and only an ftp server). I created a subdomain (on godaddy) and set the A record to my home IP address (u-verse).


My mac mini is connected to the internet through my airport base station, which is connected by u-verse (via the DMZ).


I set up os x server on my mac mini using my subdomain. I have the DNS on and FTP on. Nothing else.


Using Server app I added FTP as a public service to my airport base station.


I open a terminal shell on my mac mini and try

ftp username@localhost *** and it works

ftp username@10.1.0.9 *** and it works (10.1.0.9 is the mini local IP)

ftp username@(u-verse IP address) *** and it works

ftp username@subdomain *** and it works


All is great so I open a terminal shell on my macbook air and try

ftp username@10.1.0.9 *** and it works, but then


ftp username@(u-verse IP address) *** and it hangs, eventually saying


421 Service not available, remote server timed out. Connection closed.


The same thing happens on my mac book air with

ftp username@subdomain


port forwarding is set up by Server app, and when I check it with Airport Utility it looks correct with port 21 as private and public TCP ports.


I can't figure out what I'm doing wrong. This should be simple, right?


Last confusing bit: If I turn on web services and put my domain name in the browser of my mac book air I see the server default web page. So, web services work, but ftp doesn't.

Posted on Apr 27, 2013 5:47 PM

Reply
3 replies
User profile for user: MrHoffman
MrHoffman
User level: Level 10
146,323 points

Apr 27, 2013 7:34 PM in response to grandinetti

Open and forward TCP ports 49152 through 65535.


ftp is a steaming pile of ugly.


To get ftp to work, you are required to open the entire ephemeral port range at your server firewall and any firewalls in front of it, or to open the ephemeral range on the client firewall and any firewalls in front of that, as the second (data) connection used by ftp chooses a port from that port range. Alternatively, you can get yourself a firewall that can trigger the port range when it receives ftp traffic, as that avoids having the range open and forwarded for any random remote access. Or acquire a firewall that can detect and sniff the ftp traffic and open (just) the port the data connection has chosen.


OS X and OS X Server use TCP 49152 through 65535 as the ephemeral port range. The particular port range varies by operating system.


It can be better to use sftp, as that requires just port 22 (ssh), and sftp has the added advantage of allowing certificate-based logins (no passwords needed or passphrases, and not brute-forceable), and best of all sftp uses ssh and doesn't transmit your username and password credentials in the clear for anyone to find.


GUI clients with sftp capabilities include FileZilla and CyberDuck, and there's also command-line sftp client included with OS X, and OS X, and both include an sftp (ssh) server.


Given ftp transmits credentials in the clear, it's probably easier to just get rid of your firewall entirely.


A write-up on why ftp is ugly and insecure with some added details, if you're interested.


Alternatively, set up a VPN, and you can run ftp or sftp or whatever else over that.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

ftp port forwarding problem?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up