Let's Revisit MacOS Server's Passive FTP Problem
Mac OS X Server's built-in FTP server can't be configured to determine which ports above 1024 will be used for Passive FTP connections. More often than not, this means that clients behind NAT routers (for a variety of complicated reasons) can't discover which of the "high ports" are being used in their passive connection. Furthermore the Mac OS X administrator would have to open
every port above 1024 to anticipate connections, severly weakening the security of the system.
The effect for the user is that their FTP client can connect, but can't list the contents of a directory or upload/download anything.
Here's a primer on the difference between Active and Passive FTP:
http://slacksite.com/other/ftp.html
Apple introduced a "solution" to the problem by making this addition to the Network Services manual sometime around 10.3 server:
"See if the client is using FTP passive mode, and turn it off. Passive mode causes the FTP server to open a connection on a dynamically determined port to the client, which could conflict with port filters set up in IP filter service. "
This was a tacit admission that MacOS's various FTP daemons over the years have unchangeable, precompiled configurations. The typical workaround was choppy, but workable: replace Apple's built-in FTP daemon with a fully configurable one like ProFTPd or PureFTPd, configure a narrow range of ports for your own security, and configure your firewall to match.
We're on Tiger server now and that's still in the Network Services manual. Leopard or whatever is looming. Will Apple ship an FTP server that works out-of-the-box with its own firewall this time? Any new thoughts or solutions?
The effect for the user is that their FTP client can connect, but can't list the contents of a directory or upload/download anything.
Here's a primer on the difference between Active and Passive FTP:
http://slacksite.com/other/ftp.html
Apple introduced a "solution" to the problem by making this addition to the Network Services manual sometime around 10.3 server:
"See if the client is using FTP passive mode, and turn it off. Passive mode causes the FTP server to open a connection on a dynamically determined port to the client, which could conflict with port filters set up in IP filter service. "
This was a tacit admission that MacOS's various FTP daemons over the years have unchangeable, precompiled configurations. The typical workaround was choppy, but workable: replace Apple's built-in FTP daemon with a fully configurable one like ProFTPd or PureFTPd, configure a narrow range of ports for your own security, and configure your firewall to match.
We're on Tiger server now and that's still in the Network Services manual. Leopard or whatever is looming. Will Apple ship an FTP server that works out-of-the-box with its own firewall this time? Any new thoughts or solutions?
G5's, G4's, G3's, Xserve, Powerbooks, iBooks, Mac OS X (10.4.7)
