Transfering Files - FTP

Hi,

Can't get my head round this, but don't think it is too difficult
(Ha!)

I want to be able to share files with a friend via FTP - I have setup
an FTP server on my LAN with the address 192.***.***.*** (the machine
address in the LAN) I have a static address from my ISP shown in my
router ... what 'address' does does my matey friend type in at that
end to access my end??

Or is it that difficult??

Cheers

"Jack Ouzzi" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ps.com...
> Hi,
>
> Can't get my head round this, but don't think it is too difficult
> (Ha!)
>
> I want to be able to share files with a friend via FTP - I have setup
> an FTP server on my LAN with the address 192.***.***.*** (the machine
> address in the LAN) I have a static address from my ISP shown in my
> router ... what 'address' does does my matey friend type in at that
> end to access my end??

So this is an FTP server on your network, being accessed by your friend from
outside the LAN - ie across the internet from his broadband connection?

He'll need to connect to your public IP address (the static one allocated by
your ISP).

You'll need to set up a route in your router which directs FTP traffic (I
forget which port that is) to your FTP server's private (192.x.x.x) address.
You'll need to give that server a static address rather than letting the
router's DHCP give it an address, because the route needs to be defined by
relating public and private IP address (eg public address 1.2.3.4 port 5
routes to private address 192.168.0.2) and that will only work if the server
*always* uses 192.168.0.2 and not any other similar address. Remember if you
set the server to a static address in this subnet, reconfigure the router's
DHCP server to exclude that address from the "pool" otherwise there is a
chance that it might be given to another computer on the LAN.

It would be nice if routers would allow routes to be defined in terms of
computer names as an alternative to IP addresses, using the "attached
devices" list in the router, then you wouldn't have to fix the server's IP
address. Do any routers allow this?

In message <(E-Mail Removed) om>, Jack
Ouzzi <(E-Mail Removed)> writes
>Hi,
>
>Can't get my head round this, but don't think it is too difficult
>(Ha!)
>
>I want to be able to share files with a friend via FTP - I have setup
>an FTP server on my LAN with the address 192.***.***.*** (the machine
>address in the LAN) I have a static address from my ISP shown in my
>router ... what 'address' does does my matey friend type in at that
>end to access my end??
>
>Or is it that difficult??
>
He types in your ISP given address but you first have to set up port
forwarding for ports 20 and 21 in your router.

--
Devs
"Punchdown Pete the old Kroner"

On 2 Mar, 15:52, Devs <spamt...@secondrow.co.uk> wrote:
> In message <1172847938.892972.43...@31g2000cwt.googlegroups.c om>, Jack
> Ouzzi <mick.stur...@gmail.com> writes>Hi,
>
> >Can't get my head round this, but don't think it is too difficult
> >(Ha!)
>
> >I want to be able to share files with a friend via FTP - I have setup
> >an FTP server on my LAN with the address 192.***.***.*** (the machine
> >address in the LAN) I have a static address from my ISP shown in my
> >router ... what 'address' does does my matey friend type in at that
> >end to access my end??
>
> >Or is it that difficult??
>
> He types in your ISP given address but you first have to set up port
> forwarding for ports 20 and 21 in your router.
>
> --
> Devs
> "Punchdown Pete the old Kroner"

Ah ha! So let me get this right - remote user types in my given ISP
address, and provided I have opened port 21 and directed it to the
192.X.X.X computer on my LAN side he will then be able to view the
directory I have setup with various permissions to access transfer
files ... is THAT how it all works?

Doh - thanks
Thanks for the reply posts BTW !!

In article <(E-Mail Removed) .com>, Jack
Ouzzi
(E-Mail Removed) says...

> Ah ha! So let me get this right - remote user types in my given ISP
> address, and provided I have opened port 21 and directed it to the
> 192.X.X.X computer on my LAN side he will then be able to view the
> directory I have setup with various permissions to access transfer
> files ... is THAT how it all works?
>
It's a bit more complicated than that if you're using NAT routers at
both ends, because you need two connections between client and server:
http://slacksite.com/other/ftp.html

Rob Morley wrote:

> It's a bit more complicated than that if you're using NAT routers at
> both ends, because you need two connections between client and server:
> http://slacksite.com/other/ftp.html

As explained on that page, "active FTP will not function when used in
conjunction with a client-side NAT (Network Address Translation) device
which is not smart enough to alter the IP address info in FTP packets."

In other words, active FTP requires a protocol-specific, packet-mangling
"NAT helper" support of some sort from the router. Mere port forwarding
is not enough.

Some domestic ADSL/broadband routers have this capability, some others
don't. Some may automatically apply this to the traffic going through
the standard FTP port, but not others. There are also those where this
support must be manually enabled via a telnet command line interface, or
by some other "advanced" means.

--
znark

In message <(E-Mail Removed) .com>, Jack
Ouzzi <(E-Mail Removed)> writes
>Ah ha! So let me get this right - remote user types in my given ISP
>address, and provided I have opened port 21 and directed it to the
>192.X.X.X computer on my LAN side he will then be able to view the
>directory I have setup with various permissions to access transfer
>files ... is THAT how it all works?

That's about the size of it, yes!
--
Devs
"Punchdown Pete the old Kroner"

On 3 Mar, 17:11, "Jukka Aho" <jukka....@iki.fi> wrote:
> Rob Morley wrote:
> > It's a bit more complicated than that if you're using NAT routers at
> > both ends, because you need two connections between client and server:
> >http://slacksite.com/other/ftp.html
>
> As explained on that page, "active FTP will not function when used in
> conjunction with a client-side NAT (Network Address Translation) device
> which is not smart enough to alter the IP address info in FTP packets."
>
> In other words, active FTP requires a protocol-specific, packet-mangling
> "NAT helper" support of some sort from the router. Mere port forwarding
> is not enough.
>
> Some domestic ADSL/broadband routers have this capability, some others
> don't. Some may automatically apply this to the traffic going through
> the standard FTP port, but not others. There are also those where this
> support must be manually enabled via a telnet command line interface, or
> by some other "advanced" means.
>
> --
> znark

You see I thought it would not be that simple .... OK I have been
testing with my friend and he has been able to upload things from my
PC (nat router his end) not yet had a chance to try to download (or is
it up) from him to me. I have been able to have two way traffic from
another remote PC but that one had no nat router attached so will have
to wait and see on the first scenario ....

OK now for a security question .. my port 21 is now open, with traffic
being directed ONLY to PC 192.*.*.* on my LAN ... Username and
Password protected, that PC is running Linux OS and is running a Linux
FTP server ... the other PC's on my LAN network are all WinXP
machines .. how vulnerable is my network now??

On Sat, 03 Mar 2007 09:44:05 -0800, Jack Ouzzi wrote:

> On 3 Mar, 17:11, "Jukka Aho" <jukka....@iki.fi> wrote:
>> Rob Morley wrote:
>> > It's a bit more complicated than that if you're using NAT routers at
>> > both ends, because you need two connections between client and server:
>> >http://slacksite.com/other/ftp.html
>>
>> As explained on that page, "active FTP will not function when used in
>> conjunction with a client-side NAT (Network Address Translation) device
>> which is not smart enough to alter the IP address info in FTP packets."
>>
>> In other words, active FTP requires a protocol-specific, packet-mangling
>> "NAT helper" support of some sort from the router. Mere port forwarding
>> is not enough.
>>
>> Some domestic ADSL/broadband routers have this capability, some others
>> don't. Some may automatically apply this to the traffic going through
>> the standard FTP port, but not others. There are also those where this
>> support must be manually enabled via a telnet command line interface, or
>> by some other "advanced" means.
>>
>> --
>> znark
>
> You see I thought it would not be that simple .... OK I have been testing
> with my friend and he has been able to upload things from my PC (nat
> router his end) not yet had a chance to try to download (or is it up) from
> him to me. I have been able to have two way traffic from another remote PC
> but that one had no nat router attached so will have to wait and see on
> the first scenario ....
>
> OK now for a security question .. my port 21 is now open, with traffic
> being directed ONLY to PC 192.*.*.* on my LAN ... Username and Password
> protected, that PC is running Linux OS and is running a Linux FTP server
> ... the other PC's on my LAN network are all WinXP machines .. how
> vulnerable is my network now??

As well as the problem with the data connection's requiring "FTP
connnection tracking" support on one or other of the NAT routers, FTP
sends the username and password over the network in plain text. This is
insecure as someone who has access to any router in between (e.g. an ISP
employee) can steal your user and password and access your system. Of
course any reputable ISP would instantly dismiss any employee caught
stealing passwords, but you can't guarantee no-one's snooping.

As your server is Linux, I suggest you use ssh/scp instead. This is much
more secure as it encrypts everything including the user and password (if
used - it can use RSA/DSA key based authentication instead of a password).
You almost certainly already have an ssh server installed, and if you
don't it will be on your distribution CDs, but you may need to start it.
Then just forward port 22 to your server - or use a different port
externally and forward it to port 22 for very slightly increased security.

As well as being more secure, ssh uses a single connection so there's no
need for any fiddling around with IP addresses and port numbers in the
packets, so it will work with any routers.

If your friend is using Windows he can use the "pscp" or "psftp" client
from http://www.chiark.greenend.org.uk/~sgtatham/putty/ .

Make sure you configure your ssh server to deny root logon
("PermitRootLogin no" in sshd_config). Otherwise the defaults should be
adequate. If you have to change this, restart the ssh server. Use non
obvious user names and passwords.

Preventing access by password entirely and insisting on key based
authentication may be more secure (it may not - it means your machine is
only as secure as your friend's) but is rather fiddly. I suggest that you
read the documentation on your Linux machine and the above web site if you
want to do this as you really need to understand what you're doing.

Regards, Ian

Ian Northeast wrote:

> If your friend is using Windows he can use the "pscp" or "psftp"
> client from http://www.chiark.greenend.org.uk/~sgtatham/putty/ .

WinSCP should be worth a look as well:
<http://winscp.net/eng/docs/screenshots>

--
znark