fixing ftp problems with apple airport and os

8/18/2019 Fixing FTP Problems With Apple Airport and OS...

1/5

About this Document

This document is not a step-by-step how-to tutorial. It's primary goal is to help you understand it's notworking, and provides links to various information sources that will provide step-by-step instructions

why

The Symptom

After installing an Apple Airport Base Station (ABS) as your Internet Router in its default configuration(DHCP & NAT turned on) you can no longer FTP back to your OS X box (Jaguar or Panther -- still!)through a firewall, even after turning on port mapping.

Apple's Recommended Solution (from the Airport Help Pages)

To ensure that requests are routed to your Web, AppleShare, or FTP server

properly, you need to establish a permanent IP address for your server and

provide inbound port mapping information to the AirPort Base Station.

For more information on port mapping, see the document "Designing AirPort

Networks 2," located at www.apple.com/airport

This answer didn't work for me. I bought the Apple Base Station specifically to be both a Wireless AccessPoint (WAP) as well as a NAT. Other, WAP/NAT boxes allow several configuration options thatthe most current Apple Base Station Admin Utility Software does not. The two missing configuration itemsrequiring me to 'work different' were:

cheaper

locking a specific (the address of your network card), so that while a machine is still leasing an IP address, it

gets the same IP address each time. This would be sooooo nice for things like TiVo and ethernet printers!!!

ABS Software Missing Item #1: DHCP'd IP address to a specific MACaddress

and

assignments (instead of single portto port mapping).ABS Software Missing Item #2: range-based port mapping

To get things up and running most effectively, you need to solve both problems.

Workaround for Issue #1: Semi-permanent DHCP'd IP address

2-06-2005 21:01Fixing FTP problems with Apple Airport and OS X Panther/Jaguar

Pagina 1 di 5http://www.prairienet.org/~mcc/AirportFTPSetup.html


2/5

This can most easily be accomplished by setting the DHCP lease time to 9999, as seen highlighted in red below:

Fig 1: Airport Admin Utility - Setting ABS as a NAT/DHCP server with extended lease time

Note that should you need to reassign your DHCP'd addresses in the future (in the next 27 years, anyway)you'll need to flip your System Preferences:Network:TCP/IP settings to manual, apply/save, and then flipthem back to DHCP. There's probably a one-line command available from the terminal (as there is inWindows 98/2000/NT/XP) but this works for me.

You manually assign each of your computers a TCP/IP address, say 10.0.1.201, but I like to keepthings all in one place, and it's easier to keep all of my TCP/IP configuration for all the machines on mynetwork in one spot, and serve them out via DHCP. It also means that if the ISP updates their DNS servers,then DHCP will also update the individual computer's DNS settings. You could also set OS X up to use amanual IP address with DHCP'd everything else.

could

That was the easy part.

Workaround for Issue #2: The port mapping by range problem

To understand this problem you must first understand some of the nuances of how FTP works, specifically,the . In a nutshell, most system administrators prefer to firewallall but the well-known ports on their network. With FTP, it forces the insecure portion of the connection tooccur on the serving machine (i.e., my mac at home). After the initial connection is made, the FTP serverwill shift the data transfer portion of the connection to a random, open, high-numbered port. Well, the AppleBase Station also firewall's, and it prefers that the insecure portion of the connection occurs on the end.So... we have two very secure networks, and the end result is you're not getting any work done. So let'smake things on my end a lot more insecure. The obvious thing to do is to port map all the 'ephemeral' ports-- all the high numbered ports that aren't assigned to a well-known protocol -- to our FTP server. The typicalway to do this is to put a line in your NAT server like this:

differences between active and passive FTP

other




3/5

Public Ports (onABS)

Private IP Address (of yourMac)

Private Ports (on YourMac)

49152-65534 10.0.1.2 49152-65534

Fig 2: Portmapping - The way it oughtta be!

But you CAN'T! The best you can do is add an individual entry for single solitary port like this:each

Fig 3: Airport Admin Utility - Portmapping - The way it is :-(

Obviously, individually port mapping all of the possible upper level ports that Apple's built-in FTP daemonuses would be a bit of a chore, not to mention that I've read somewhere that the ABS Utility software cutsyou off at twenty entries in the section shown above. So I mapped 11 (60000 - 60010).

The next problem is to get your FTP server to use those upper-level ports you've mapped for passiveFTP. The FTP server that's distributed with OSX.2.3 is the default Free BSD FTP server, lukemftpd and Iknow little about it, other than it's exceedingly difficult to find information about how to configure it -- if ittakes me more than 15 minutes searching with Google to find a relevant tutorial/manual, it gets ranked as'exceedingly difficult'. So I went and installed an FTP server I'd played around with before, andhad -- ProFTPd.

only

received good reviews

Under Jaguar it initially took me a couple of days tweaking to get ProFTPd up and running. However uponreviewing these instructions for Panther, I found something better (MUCH easier to setup, and touted to bemore secure). PureFTPd, via (PayPal donation highly recommended!). It functions as acomplete replacement for lukemftpd, meaning that it uses the Mac OS X userlist and I can turn it on and offvia the System Preferences:Sharing control panel. Download and install PureFTPd Manger, and it will alsoinstall the PureFTPd server. Sweet. Downloaded, installed and up and running in . Sweeter.Much better than 'a couple of days of tweaking'. Sweetest. Did I mention donating to the developer viaPaypal?

PureFTPd Manager

15 minutes

So, after running the install package, launch PureFTPd Manager.app. It will lead you through a basic setupwizard, the default settings should be fine. Next you should see this screen:




4/5

Fig 4: PureFTPd Manager - accessing preference pane to set passive ports

Select the preferences button , then select the Server Settings icon on the next window (shown below).

Fig 5: PureFTPd Manager - accessing Server preference pane to set passive ports

And last, set your passive port settings using the range you entered into the Airport Admin Utility:

Fig 6: PureFTPd Manager - Setting passive ports

So after restarting the ftp server (PureFTPd Manager should prompt you anytime you need to restart theserver due to a configuration change), leave the main PureFTPd Manager window up (Fig 4) and attempt toftp from the CLI (command-line interface, ie, Terminal.app) to the loopback address on the same machine asthe ftp server. It should look something like this:




5/5

admin:~ mcchild$ ftp 127.0.0.1Connected to localhost.220---------- Welcome to Pure-FTPd [TLS] ----------220-Local time is now 11:34. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Name (127.0.0.1:mcchild):

Fig 6: Terminal.app - Testing FTP server via loopback address

Once you're at this stage, the next is to ftp to your server from a machine on your inside network, and oncethat is sucessfull, the real test -- ftping from outside your network (at which point you're going through theABS).

Should you run into problems at any of these points, an invaluable (and free!) tool to use is , a packet Analyser (aka, Sniffer). It's a bit of a pain to install as it is an X Windows Application (best to

use and to install, and you'll also most likely need to install software --Panther or better). Ethereal it has its own steep learning curve as well, but it will tell you everything youneed to know (and more, if you're not precise) about the packets flying around on your network. An extraadded bonus is that if you ever need to run it on a Unix or a Windows box, you can download and install aversion for those platforms as well, so you don't have to relearn a complex program. Once you've gonethrough the trouble to get all of that installed, then you really should go one more step farther and use FinkCommander to install , and stop shelling out $700 for Adobe Photoshop just to edit images foryour webpages ;-)

Ethereal

Fink Fink Commander Apple's X11

The GIMP

Security

So you could stop here, since you've got everything working but you really should muck things up bymaking things secure. In PureFTPd you should disable the guest ftp account, and also force an sftp (secureftp) connection -- both of these available through the preference pane of PureFTPd Manager. And you'llneed to get to portmap ports 22 and 115 on the ABS in addition to ports 20 and 21 shown in .Fig 1

Ports 20/21 are the standard ftp ports, 22 is the secure shell (ssh) port (a secure version of telnet, which isalso used by sftp), and 23 is used by normal, insecure telnet (which is off by default in both Panther andJaguar). Ideally after sucessfully testing the insecure setup to make sure everything works, one should switchover to secure ftp and telnet and ports 20/21 and 23 should be mapped, leaving just 22 and 115 and the passive ftp (now sftp) ports. The other port shown mapped in is port 80, which is the HTTPd port, i.e.,The Apache webserver.

UN

Fig 1

Good Luck! If you need help, drop me a line and I'll see what I can do to help. Note that the e-mail addressis a graphic to discourage spam-crawlers, so you'll need to retype it.

Matt < >

If so, I'd be honored if you would consider supporting it witha small donation by PayPal:Has this page been of service to you?



fixing ftp problems with apple airport and os

Documents