This question is from a friend ---

I am on a home network connected to a Linksys Cable/DSL Router
(BEFSR41) for sharing broadband.  I would like to set up an FTP Server
on one of my networked PC's so that I can share information only with
Family and Friends across the internet.  I am using BulletProof FTP
Server Version 2.15.    I have configured the server with my PC's
local IP address, set up a shared FTP directory and user profile for
remote access.

This works fine on my local network, but my difficulty is in providing
remote access across the internet.   My Linksys provider told me that
I need to "poke" a hole in my firewall to accomplish this.   They said
I could either enable access to ports 20 and 21, or set up my computer
as a DMZ host.   As I understand it, the later option will fully
expose my computer to the internet.   Naturally I am concerned about
maintaining security, so this option is not all that attractive.   In
any case, I tried both of those options and was still unable to give
remote users access to my FTP server.

It seems to me that the reason remote users can't connect to my FTP
server, it because my local network IP address isn't broadcast across
the internet.   My ISP does provide me with a webspace, so I'm
wondering if it is necessary, or even possible to set it up there ? 
Or maybe there is a way to use my ISP's DNS servers to somehow direct
people to my local FTP server ?

I would appreciate it if someone could provide me with a secure
workable solution to my problem. Thanks.

---

Clarification of Question by knowledge_seeker-ga on 14 Jun 2002 17:31 PDT

My broadband connection has a dynamic IP assignment.  I would expect
to have no more than 2-4 remote users accessing my FTP server
simultaneously.

---

Clarification of Question by knowledge_seeker-ga on 14 Jun 2002 17:40 PDT

I should have indicated that I am using a cable modem and not a DSL connection.

---

Request for Question Clarification by webadept-ga on 14 Jun 2002 20:13 PDT

Hi Knowlege_seeker, 

Would love to help you with this, but as the comments below (most of
them very good by the way) suggest, that dynamic IP address is the
bugaboo. Its just not going to work out. Not for a stable solution
anyway.

Static IP's are sometimes not all that expensive, you might check with
your ISP on what it would take to get one of those.

Another thing you might want to look into is SSL, and using a secure
FTP, instead of opening up port 21. I have a a few servers on the net
and I would venteure to say that the first "hack type connection" I
get on a new server happens in the first two hours of bringing it on
line. That's pretty fast. There are several OpenSource FTP SSL setups
out there, might check some of those out.

I don't use FTP on any of my servers, all of them run a Secure FTP, if
you would like I could run down some information on those, but I would
check on the Static IP address first before pursuing this much
further.

webadept-ga

---

Clarification of Question by knowledge_seeker-ga on 15 Jun 2002 09:59 PDT

Thanks to all for the great comments!   I looked carefully at all of
the suggestions and made excellent progress.

Thanks cdmacken-ga for the easy to follow steps!   I followed them and
got the FTP server to work at least once from outside the firewall.

Clarification for Webadept

I have discovered from cdmacken-ga’s comment that my ISP DOES give me
a static IP for the Router on the WAN port.
  
Unfortunately, a remote user was only able to connect to my FTP server
once with the following settings :

*PC configured as a DMZ host
*Ports 20 and 21 forwarded to my PC 
*Block WAN request disabled.  

When I disable the DMZ host it doesn’t appear to work.  I am not
really comfortable to have this wide open access to my computer.   I
am definitely interested in a low cost secure FTP solution.

Hello  knowledge_seeker

I have a few simple steps that should get you up and running barring a
faulty firewall/router.

1. Confirm your ip address.  
   A. If you are using Windows 95,98, or ME go Start>>Run and type in
"winipcfg" without the quotes.  In the new window that pops up select
the network card that is currently connected to the Linksys and click
on the "Advanced" button.
   B. If you are using Windows NT, 2000 or XP open a DOS window by
going Start>>Run and entering "cmd".  This will bring up a new window.
 Enter the command "upcoming -a" and the output will contain the
current IP addresses of all network cards in use.

2. Confirm that you have entered the IP address in the above steps
into the provided ip address field on the "Forward" tab which is
located under the "Advanced" section of the Linksys configuration. 
Ensure that ports 21 and 20 are both entered into the ports fields
also on the "Forward" tab.  Make sure to hit the "Apply" button so
that the changes are entered into the configuration.

3.  Disable the DMZ routing.

You should be good to go at this point.  If people are unable to
access the FTP server by connecting to your static IP address, then
contact Linksys support.  You may have a defective unit and Linksys
support will be able to confirm this and setup an RMA for you.

Linksys support:
Tech Support 
Direct number          1-949-261-1288 
TollFree number        1-800-326-7114
E-mail address    support@linksys.com

Linksys support webpage detailing the port forwarding setup:
http://www.linksys.com/tech_helper/advanced.html

markoft

---

Request for Answer Clarification by knowledge_seeker-ga on 16 Jun 2002 11:48 PDT

hi markoft,

Unfortunately your answer provides me with no useful or additional
information from that of the previous 10 comments and clarification.
As I mentioned in my own clarification above, cdmacken's step-by-step
instructions did work. The issue is security.

For a positve rating of your answer, would you please follow-up on
webadept's suggestion and provide me with options for OpenSource FTP
SSL setups.

Thanks so much.

---

Clarification of Answer by markoft-ga on 16 Jun 2002 13:03 PDT

Instead of locating an FTP that uses SSL I have located an FTP like
SSH program, SFTP.  SSH stands for Secure Shell and is the most widely
used remote UNIX access tool.  There is a simple t use client dubbed
Putty, link is below.  The server is more difficult to setup but it
should only need to be setup once.  SSL FTP seems to be more difficult
as it still uses the FTP protocol over SSL encryption.  SFTP uses
SSH's native file transfer ability and presents it in an FTP like
interface.

Also it seems to me that you still have the server sitting in the
firewall's DMZ.  SFTP and SSL wrappers will only protect the port they
are monitoring.  If this is the case you will still want to try and
get just the port forwarding working or install a software firewall on
that computer.  I am including a link to a fairly good network
security testing website, Gibson Research.

Putty SFTP, Client for SFTP:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

SFTP daemon for Win32 using Cygwin:
http://www.dpinson.com/software/sftp/index.php

Cygwin, needed for the server implementation:
http://sources.redhat.com/cygwin/

Gibson Research Corporation:
https://grc.com/default.htm

markoft

Is your broadband connection on a static or dynamic IP?  How many
simultaneus users would you expect to have on your ftp?

if it is any help, try asking this question on www.adslguide.org.uk
the moderators are usually really helpful and may be able to assist
you

Go to dyndns.org and set yourself up a dynamic IP address so that
others can
connect to you easily.

You only need to open ports 20 and 21.  If people from the outside are
having
issues connecting try setting their data connection mode to PASV or
PORT in their client program and see if that works.

If all else fails, upgrade your firmware to the latest from Linksys.

Make sure that the ftp client is in passive mode if it is outside of
the firewall/router.  At the ftp> prompt type 'pasv' (without the ' of
course).  That should take care of things.  However if it is a
graphical ftp client, you'll have to figure out how to make it go
passive on your own, it should be in the config options.

Normal FTP usage needs the two ports of 21 for the control connection
and 20 as the data connection.  It is easy to setup a port redirect
for just these two ports. But then comes the complication of the PORT
and PASV commands, these commands complicate things very much.  Normal
FTP operation occurs with The client connecting to your server on port
21, your server will connect back to them on port 20.

Client -> Server:21
Server -> Client:20

Now since many people use a FTP site at once, there is the PORT
command this will change the port that the server is calling out to. 
This normal operation just requires you to open up port 21 to be
directed to your computer, as the NAT function of the Linksys will
allow the outgoing data connection automaticaly.

Now to handle request from others who are behind a firewall/NAT device
there is the PASV command what this will do is have the client start
both connections;

Client -> Server:21
Client -> Server:20

But the PASV command will return the next available port which can be
in a range from 1024 - 64k.  Bulletproof allows you to set a fixed
range in the Options ->Multi IP settings, recomended is for 2x number
of users expected.  You will then need to set a group port redirect
for that range on the Linksys box.  No real need to worry about having
a small whole of 10 ports open when there are no listeners that are
live on them 99% of the time.  You can also set the external IP that
the FTP will be on, in that screen.  Sometimes neccessary as the
linksys might not translate this embedded address correctly. Try and
see.

Now for users to get to you nicely you should use a service called
dynip.  With a piece of software everytime your ip cahnges it will
update on their system so that for instance knowledge_seeker.dynip.com
always will point to your currect external ip.
More info can be found in RFC595 or ask for more clarification.

Normal FTP usage needs the two ports of 21 for the control connection
and 20 as the data connection.  It is easy to setup a port redirect
for just these two ports. But then comes the complication of the PORT
and PASV commands, these commands complicate things very much.  Normal
FTP operation occurs with The client connecting to your server on port
21, your server will connect back to them on port 20.

Client -> Server:21
Server -> Client:20

Now since many people use a FTP site at once, there is the PORT
command this will change the port that the server is calling out to. 
This normal operation just requires you to open up port 21 to be
directed to your computer, as the NAT function of the Linksys will
allow the outgoing data connection automaticaly.

Now to handle request from others who are behind a firewall/NAT device
there is the PASV command what this will do is have the client start
both connections;

Client -> Server:21
Client -> Server:20

But the PASV command will return the next available port which can be
in a range from 1024 - 64k.  Bulletproof allows you to set a fixed
range in the Options ->Multi IP settings, recomended is for 2x number
of users expected.  You will then need to set a group port redirect
for that range on the Linksys box.  No real need to worry about having
a small whole of 10 ports open when there are no listeners that are
live on them 99% of the time.  You can also set the external IP that
the FTP will be on, in that screen.  Sometimes neccessary as the
linksys might not translate this embedded address correctly. Try and
see.

Now for users to get to you nicely you should use a service called
dynip.  With a piece of software everytime your ip cahnges it will
update on their system so that for instance knowledge_seeker.dynip.com
always will point to your currect external ip.
More info can be found in RFC595 or ask for more clarification.

Here's the deal.
Your Linksys Cable/DSL Router is acting like a single computer with a
single connection to the internet. All of your computer that are
running programs that connect to the internet through your Linksys
Cable/DSL Router appear from the internets point of view to be
programs running on your Linksys Cable/DSL Router.

There is no way for anyone on to directly connect to any of your
computers behind the Linksys Cable/DSL Router. But, you can configure
your Linksys Cable/DSL Router to connect an incoming connection to
your Linksys Cable/DSL Router to any one of the computers, "behind"
the Linksys Cable/DSL Router.

When your Linksys provider told you to, "poke a hole" they meant that
you should configure your Linksys Cable/DSL Router to connect
incomming connections on some port to connect that connection to your
computer running the FTP server on it.

The other issue is that anyone on the internet cannot see the IP
number of that computer. But, they can see the IP number of your
Linksys Cable/DSL Router. So, anyone on the internet would have to
connect to that IP number with FTP in order to connect to that
computer that you have running your FTP server.

They said to configure for ports 21 and 20 because those are the ones
used for FTP. If your FTP server software is insecure (has
bugs/security holes) then you are making it so that people might be
able to hack into your computer. If there are no bugs in your FTP
server software, then there is no way for anyone to break in unless
you configure more holes in your Linksys Cable/DSL Router.

Another problem is dynamic versus static IP numbers. If you have a
static IP number, it's easy for someone on the internet to connect to
your FTP server because the IP number of your Linksys Cable/DSL Router
will remain constant. But, if you have a dynamic IP, your IP number
will contantly be changing on you. If this is the case, then it will
be much harder for your friends to connect to you.  Will will
constantly have to check to see what your new IP number is and then
tell them somehow.

You are using something called DHCP.  Your ISP is giving you an IP
address, which is most likely dynamic.  Then your Linksys Cable/DSL
Router is giving an IP address to each computer on your local network
using DHCP.  These IP addresses are not accessible to the outside
world. Chances are that your ISP can provide a static IP address, and
even DNS service for it, but that's probably not what you want.  It
will cost more, and will not fix this problem.

When you "poke a hole" in your firewall by exposing ports 20 and 21,
you are telling your router to send all traffic that was sent to its
IP address and one of those ports (not the address of your computer)
to the address of your computer.

Suppose that your ISP dynamically assigns an IP address of
200.123.123.1 to your router.  Then your PC gets its own IP address
which probably starts with 192.168 or 172.16.  If you give one of the
latter addresses to anybody, it will do them no good outside your
network.  If you give them the hypothetical 200.123.123.1 address,
your router will take traffic to that address and route it to your
local computer at one of the latter addresses, or whatever DHCP
assigned.

Your router configuration screen should show you the IP address of the
router (what the outside world sees), or you can go to a public web
site such as http://www.whatismyipaddress.com/ to see it.  You can
then give that address to somebody outside your firewall once you've
opened up the appropriate ports and routed those ports to your local
computer.

Keep in mind that if the IP address is dynamic (check with your ISP)
then it may change when you turn off or reboot your router. Another
user suggested www.dyndns.org.  While they do not give you a dynamic
IP address as that user suggested, they do allow you to register a
subdomain name that will point to your network.  That way, you can
give out a name such as kseeker.dyndns.org to your friends, and if
your IP address changes, a local utility on your PC can keep dyndns
abreast of the change.  That way, a user need not know an IP address
or care when it changes.  The process is not trivial, nor is it needed
to solve your problem.  But it can make things much easier down the
road.  I would suggest that you solve this issue first, and then look
into dyndns or a similar service later.

Once you give the appropriate IP address to outside users, and open up
the appropriate ports, all that is left are FTP issues.  If the
outside users start off with the same FTP client you used internally,
and with the same settings, then there should be no problems.

I have a LinkSys router and have no problems using FTP through it.

The first thing you need to go is into the setup program for your
router and look at the Status page.  On there, it lists 2 IP
addresses, 1 for your LAN and one for your WAN (cable modem).  Write
down the WAN IP address.

Next, you want to an experiment to see if your IP address is truly
dynamic.  Click on the "Release" button.  Your IP address will be set
to all 0s.  Once your IP address has been released, you can click on
the "Renew" button.  Write down this new IP address.  If it is
different than the old IP address, then you will not be able to host
an FTP server UNLESS you know the fully qualified DNS name for your
computer.

Now you need to change the settings for your PC to turn off DHCP and
manually configure the PC so that it has a static IP address.  Print
off the "Status" screen for the Linksys router config, as you will
need to manually enter the subnet mask, default gateway, and DNS
servers.  Then go into your TCP/IP properties, and select "use the
following IP address."  You can choose any IP address between
192.168.1.2 and 192.168.1.99.  You will also have to enter the subnet
mask, gateway, and DNS server IP address that you just printed out.

The next step is to go into the Advanced tab and temporarily enable
the DMZ host, enter the IP address you just assigned to your computer.
 Click OK.  Refresh the screen to make sure that the setting stuck.

Now get a friend to see if they can FTP to your machine from outside
your LAN.  Plese note that on some firmware revisions for the LinkSys
you cannot FTP or HTTP to your WAN ip address.  Once you are done this
test, turn off the DMZ host.  If you were not able to FTP to the
machine, then the problem is either in your FTP software configuration
(e.g. blocked and allowed IP addresses) or it is even possible that
your provider is blocking this port.

If you were able to FTP through the DMZ, then the next step is to try
to set up the port forwarding.  Go into the Linksys advanced set up,
and set up forwarding on port 21 to the static IP address that you
assigned to your PC.  It should only be necessary to forward port 21,
but you can try adding the other port if this does not work.  Again,
refresh the screen to make sure that your changes took effect, and
then get a friend to try FTPing to your machine from outside of your
LAN.

This worked for me.  Good luck!

Clicking on "release" and "renew" will not necessarily tell you if you
have a dynamic IP address.  With many cable systems, you may get the
same IP address if it did not get assigned to anybody else.

Having a dynamically assigned IP address will not stop you from doing
anything.  However, the remote user must know what IP address you are
using at the time.
If you set your router so that there is no time out for being idle,
then you can theoretically keep you IP address indefinitely. However,
a solution such as dyndns.org (above) is a more practical one.

You will NOT have a fully qualified domain name with a dynamic IP
address unless you set one up with a service such as dyndns.org or a
similar one. Domain names resolve to an IP address by definition, and
your host will not put you in their DNS if your IP address is dynamic.