On Thu, Jul 24, 2003 at 08:44:02AM -0400, Daniel Nilsson wrote:
The ftp server should be located at the main office, but I could use some recommendations on where to place this server. From reading mailing lists I understand the issue of active vs. passive ftp and placing the ftp server in the DMZ. I don't think I can ask our customers to toggle the active/passive flag of their ftp client since are customers are
Most ftp clients use passive ftp as a default. A exeption is the client delivered by SUN for Solaris which does not even support passive ftp. (may be solved with solaris 9) There are firewalls in all the office locations. Therefore I assume that only passive ftp is possible.
usually not very computer savvy people. Putting an ftp server in the DMZ that supports both active and passive ftp seems tricky, does anyone have
Active ftp is not the problem on the server side. You have to allow outgoing tcp connections. The firewall on the client side will have to forward incoming tcp connections. Iptables can handle that, but IMHO you should not use active ftp. If it is passive ftp the port range used for data connections can be specified in /etc/vsftpd.conf (pasv_min_port pasv_max_port). This might be usefull.
a recipe of how to make that work (using SuSEFirewall 2 on the firewall machine).
You may have to set up your own set of iptables rules. There are already some mails listing alternatives to ftp. I don't want to mention it again. -- Stefan Tichy <listuser@pi4tel.de>