Port Forwarding Settings for FTPc
David R. Lane (77) 766 posts |
I need to be able to upload and download files using FTPc to and from, respectively, a NAS (network attached storage device) on the LAN remotely, that is, on the WAN. I had this set up on the previous NetGear router with “Start Port” 20 and “End Port” 21 which worked. Since changing to fibre optic from the cabinet (from telephone wires all the way), Phone Coop provided a new suitable router, Technicolor (sic) DGA4134, and I need to set up port forwarding again. In the configuration different terms are used for the two ports, WAN port and LAN port, which are currently both set at 21 and it works, but are these port numbers best? Does “Start Port” = WAN port and “End Port” = LAN port, or is it the other way round? I have set the protocol to TCP/UDP, but could set it to just TCP. |
Bryan (8467) 468 posts |
Neither. Port Forwarding always forwards the ports unchanged. You need a clever router to change the port numbers on the way through and it will be called something else. My DrayTek will do it, but I never use it. You want to forward both port numbers unchanged from the WAN to the LAN. You need two because one port is used for data and the other for control. Start port just identifies the lower number of a range of ports which finishes with end port. Some simple FTP Servers will work just using port 21, so only need port 21 forwarding. |
David J. Ruck (33) 1636 posts |
Right Bryan has explained how you do it, now I’ll explain why you shouldn’t. Port forwarding of a completely insecure protocol such as FTP through from WAN to LAN is utterly insane. That port will be probed and compromised in seconds. If you’ve got old crap lying around which can only do unencrypted file transfers (and if we didn’t, we wouldn’t be here), you need to set up either a VPN or SSH tunnel between sites, so there is a secure encrypted link, over which you can run your insecure protocol. |
Bryan (8467) 468 posts |
Hmmmm, Seconds is very much an exageration. As to whether you should, it depends on what you have on the server. And, if it is a RISC OS server, the normal hacks just will not work. I have a server online and the hack attempts that come through 1 are way off the mark. And, if they do get through, they are going to be mightily dissapointed! 1 1 or 2 every couple of days |
David J. Ruck (33) 1636 posts |
Believe me it is seconds, and its also not just what you have on the server, but also what someone else might use your system to distribute. |
Bryan (8467) 468 posts |
Well. You stick with your theories. And I will stick with my practical experience with RISCOS servers online for years. |
Alan Adams (2486) 1149 posts |
Until they connect to your Windows computer which also happens to be on your LAN – port forwarding exposes the entire network, not just the computer you intended it for. |
Alan Adams (2486) 1149 posts |
classic FTP uses ports 20 and 21. In order to use port 21 only, you may need to set “passive FTP”, which uses the same port for both. |
David R. Lane (77) 766 posts |
Just from my experience …. My NAS probably runs Linux, but I dare say the hackers already know that. I don’t have any sensitive files on my NAS. I have both WAN and LAN set to using port 21 and it works, but would it be better to use 20 and 21, and which way round? |
Bryan (8467) 468 posts |
This thread has been taken way off topic now. So I’m out. |
Rick Murray (539) 13850 posts |
Okay, let’s talk practical experience. I have a BBS running on port 23. You’re right, it’s not seconds. It is minutes. I have a circular list of IP addresses. Sixteen of them. If something connects too frequently, or tries to log in with certain usernames (shell, system, etc) then it will be blacklisted and the connection dropped. Even so, from time to time the server gets spammed so hard it has to start discarding connections (it is, by design, capable of handling eight concurrent). I ought to add an address to the blacklist if it’s using more than three ports at the same time. With all of that, I see the linetask popping up on the icon bar frequently. Enough that in the time it has been online, it’s clocked up nearly half a million login attempts. There’s a good hundred or so attempts every single day. And that’s with the big ones (Russia, China) blacklisted. WebJames does minimal logging, because that gets hammered quite a lot and I don’t care to fill my space with the logs. It’s amazing how much phpMyAdmin is searched for. That is my experience running a server with RISC OS. If you really think your server doesn’t get hit frequently, I suggest you check to see if your server has had the activity logging turned off. |
Rick Murray (539) 13850 posts |
Thankfully this ought to be less of a worry with RISC OS. I’m not currently aware of anything that would grant an external connection the ability to run arbitrary code. Which, of course, doesn’t mean it can’t happen, but thankfully RISC OS is sufficiently different that it would be much easier to release a poisoned application than to try hacking it from afar. But yes, once a machine is compromised, it can be used to access everything that it has access to. If it is running on your LAN and it can see your LAN (isn’t firewalled by itself) then all of that can be accessible. Do you have open shares, for instance? |
Steve Pampling (1551) 8172 posts |
For a NAS/server etc exposed to the Internet the standard advice would be to use SFTP rather than the simpler and less secure FTP |
David R. Lane (77) 766 posts |
So does RISC OS have an SFTP application? All I can find is using Nettle with ANSI task connection in conjunction with SSH providing you have RComp’s secure sockets module; but this is a command line solution. See www.riscosopen.org/forum/forums/5/topics/1520 . |
Steve Pampling (1551) 8172 posts |
Probably only CURL |
David J. Ruck (33) 1636 posts |
No, the best advice is to use a VPN. Dump absolute PoS routers supplied by your ISP straight in the bin (Technicolor being one of the worst), and get yourself a decent one. ASUS routers (or anything running OpenWRT firmware) can be set up to both OpenVPN servers and OpenVPN clients, so you can link different sites together at the router level even if you don’t have any computers capable of running OpenVPN. Once you’ve done this, you can run ancient insecure protocols between your machines in different places while being protected by strong encryption, and no messing with port forwarding. |
Rick Murray (539) 13850 posts |
Not always possible. Orange (France) uses some weird non-standard SIP 1 and the router itself provides authentication. It may be that as more and more landlines become VoIP, this may become more of a problem? 1 A while back somebody was trying to reverse engineer it. Orange sent a cease and desist, and while the law does permit for reverse engineering for interoperability, it’s not a surprise that he threw in the towel when the lawyers got involved. |
Chris Gransden (337) 1207 posts |
PuttyTools available via PackMan contains the psftp command. |
Chris Mahoney (1684) 2165 posts |
Same sort of thing in NZ. Some ISPs do it the ‘right way’ and provide VoIP directly from the fibre ONT, but others like Vodafone give you a preconfigured router and don’t tell you any of the settings. Other ISPs are a middle ground where they give you a router but also tell you the settings. |
David J. Ruck (33) 1636 posts |
You can always put the router in to modem mode (turn off DHCP, DNS and WiFi) and plug a decent router in to it which will provide all those features. |