Vous êtes sur la page 1sur 5

Fixing FTP problems with Apple Airport and OS X Panther/Jaguar

2-06-2005 21:01

About this Document


This document is not a step-by-step how-to tutorial. It's primary goal is to help you understand why it's not
working, and provides links to various information sources that will provide step-by-step instructions
The Symptom
After installing an Apple Airport Base Station (ABS) as your Internet Router in its default configuration
(DHCP & NAT turned on) you can no longer FTP back to your OS X box (Jaguar or Panther -- still!)
through a firewall, even after turning on port mapping.
Apple's Recommended Solution (from the Airport Help Pages)
To ensure that requests are routed to your Web, AppleShare, or FTP server
properly, you need to establish a permanent IP address for your server and
provide inbound port mapping information to the AirPort Base Station.
For more information on port mapping, see the document "Designing AirPort
Networks 2," located at www.apple.com/airport

This answer didn't work for me. I bought the Apple Base Station specifically to be both a Wireless Access
Point (WAP) as well as a NAT. Other, cheaper WAP/NAT boxes allow several configuration options that
the most current Apple Base Station Admin Utility Software does not. The two missing configuration items
requiring me to 'work different' were:
ABS Software Missing Item #1: locking a specific DHCP'd IP address to a specific MAC
address (the address of your network card), so that while a machine is still leasing an IP address, it
gets the same IP address each time. This would be sooooo nice for things like TiVo and ethernet
printers!!!
and
ABS Software Missing Item #2: range-based port mapping assignments (instead of single port
to port mapping).
To get things up and running most effectively, you need to solve both problems.
Workaround for Issue #1: Semi-permanent DHCP'd IP address

http://www.prairienet.org/~mcc/AirportFTPSetup.html

Pagina 1 di 5

Fixing FTP problems with Apple Airport and OS X Panther/Jaguar

2-06-2005 21:01

This can most easily be accomplished by setting the DHCP lease time to 9999, as seen highlighted in red
below:

Fig 1: Airport Admin Utility - Setting ABS as a NAT/DHCP server with extended lease time
Note that should you need to reassign your DHCP'd addresses in the future (in the next 27 years, anyway)
you'll need to flip your System Preferences:Network:TCP/IP settings to manual, apply/save, and then flip
them back to DHCP. There's probably a one-line command available from the terminal (as there is in
Windows 98/2000/NT/XP) but this works for me.
You could manually assign each of your computers a TCP/IP address, say 10.0.1.201, but I like to keep
things all in one place, and it's easier to keep all of my TCP/IP configuration for all the machines on my
network in one spot, and serve them out via DHCP. It also means that if the ISP updates their DNS servers,
then DHCP will also update the individual computer's DNS settings. You could also set OS X up to use a
manual IP address with DHCP'd everything else.
That was the easy part.
Workaround for Issue #2: The port mapping by range problem
To understand this problem you must first understand some of the nuances of how FTP works, specifically,
the differences between active and passive FTP. In a nutshell, most system administrators prefer to firewall
all but the well-known ports on their network. With FTP, it forces the insecure portion of the connection to
occur on the serving machine (i.e., my mac at home). After the initial connection is made, the FTP server
will shift the data transfer portion of the connection to a random, open, high-numbered port. Well, the Apple
Base Station also firewall's, and it prefers that the insecure portion of the connection occurs on the other end.
So... we have two very secure networks, and the end result is you're not getting any work done. So let's
make things on my end a lot more insecure. The obvious thing to do is to port map all the 'ephemeral' ports
-- all the high numbered ports that aren't assigned to a well-known protocol -- to our FTP server. The typical
way to do this is to put a line in your NAT server like this:

http://www.prairienet.org/~mcc/AirportFTPSetup.html

Pagina 2 di 5

Fixing FTP problems with Apple Airport and OS X Panther/Jaguar

Public Ports (on


ABS)
49152-65534

2-06-2005 21:01

Private IP Address (of your


Private Ports (on Your
Mac)
Mac)
10.0.1.2
49152-65534
Fig 2: Portmapping - The way it oughtta be!

But you CAN'T! The best you can do is add an individual entry for each single solitary port like this:

Fig 3: Airport Admin Utility - Portmapping - The way it is :-(


Obviously, individually port mapping all of the possible upper level ports that Apple's built-in FTP daemon
uses would be a bit of a chore, not to mention that I've read somewhere that the ABS Utility software cuts
you off at twenty entries in the section shown above. So I mapped 11 (60000 - 60010).
The next problem is to get your FTP server to use only those upper-level ports you've mapped for passive
FTP. The FTP server that's distributed with OSX.2.3 is the default Free BSD FTP server, lukemftpd and I
know little about it, other than it's exceedingly difficult to find information about how to configure it -- if it
takes me more than 15 minutes searching with Google to find a relevant tutorial/manual, it gets ranked as
'exceedingly difficult'. So I went and installed an FTP server I'd played around with before, and
had received good reviews -- ProFTPd.
Under Jaguar it initially took me a couple of days tweaking to get ProFTPd up and running. However upon
reviewing these instructions for Panther, I found something better (MUCH easier to setup, and touted to be
more secure). PureFTPd, via PureFTPd Manager (PayPal donation highly recommended!). It functions as a
complete replacement for lukemftpd, meaning that it uses the Mac OS X userlist and I can turn it on and off
via the System Preferences:Sharing control panel. Download and install PureFTPd Manger, and it will also
install the PureFTPd server. Sweet. Downloaded, installed and up and running in 15 minutes. Sweeter.
Much better than 'a couple of days of tweaking'. Sweetest. Did I mention donating to the developer via
Paypal?
So, after running the install package, launch PureFTPd Manager.app. It will lead you through a basic setup
wizard, the default settings should be fine. Next you should see this screen:

http://www.prairienet.org/~mcc/AirportFTPSetup.html

Pagina 3 di 5

Fixing FTP problems with Apple Airport and OS X Panther/Jaguar

2-06-2005 21:01

Fig 4: PureFTPd Manager - accessing preference pane to set passive ports


Select the preferences button , then select the Server Settings icon on the next window (shown below).

Fig 5: PureFTPd Manager - accessing Server preference pane to set passive ports
And last, set your passive port settings using the range you entered into the Airport Admin Utility:

Fig 6: PureFTPd Manager - Setting passive ports


So after restarting the ftp server (PureFTPd Manager should prompt you anytime you need to restart the
server due to a configuration change), leave the main PureFTPd Manager window up (Fig 4) and attempt to
ftp from the CLI (command-line interface, ie, Terminal.app) to the loopback address on the same machine as
the ftp server. It should look something like this:

http://www.prairienet.org/~mcc/AirportFTPSetup.html

Pagina 4 di 5

Fixing FTP problems with Apple Airport and OS X Panther/Jaguar

2-06-2005 21:01

admin:~ mcchild$ ftp 127.0.0.1


Connected to localhost.
220---------- Welcome to Pure-FTPd [TLS] ---------220-Local time is now 11:34. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (127.0.0.1:mcchild):
Fig 6: Terminal.app - Testing FTP server via loopback address
Once you're at this stage, the next is to ftp to your server from a machine on your inside network, and once
that is sucessfull, the real test -- ftping from outside your network (at which point you're going through the
ABS).
Should you run into problems at any of these points, an invaluable (and free!) tool to use is Ethereal, a
packet Analyser (aka, Sniffer). It's a bit of a pain to install as it is an X Windows Application (best to
use Fink and Fink Commander to install, and you'll also most likely need to install Apple's X11 software -Panther or better). Ethereal it has its own steep learning curve as well, but it will tell you everything you
need to know (and more, if you're not precise) about the packets flying around on your network. An extra
added bonus is that if you ever need to run it on a Unix or a Windows box, you can download and install a
version for those platforms as well, so you don't have to relearn a complex program. Once you've gone
through the trouble to get all of that installed, then you really should go one more step farther and use Fink
Commander to install The GIMP, and stop shelling out $700 for Adobe Photoshop just to edit images for
your webpages ;-)
Security
So you could stop here, since you've got everything working but you really should muck things up by
making things secure. In PureFTPd you should disable the guest ftp account, and also force an sftp (secure
ftp) connection -- both of these available through the preference pane of PureFTPd Manager. And you'll
need to get to portmap ports 22 and 115 on the ABS in addition to ports 20 and 21 shown in Fig 1.
Ports 20/21 are the standard ftp ports, 22 is the secure shell (ssh) port (a secure version of telnet, which is
also used by sftp), and 23 is used by normal, insecure telnet (which is off by default in both Panther and
Jaguar). Ideally after sucessfully testing the insecure setup to make sure everything works, one should switch
over to secure ftp and telnet and ports 20/21 and 23 should be UNmapped, leaving just 22 and 115 and the
passive ftp (now sftp) ports. The other port shown mapped in Fig 1 is port 80, which is the HTTPd port, i.e.,
The Apache webserver.
Good Luck! If you need help, drop me a line and I'll see what I can do to help. Note that the e-mail address
is a graphic to discourage spam-crawlers, so you'll need to retype it.
Matt <

>

Has this page been of service to you? If so, I'd be honored if you would consider supporting it with
a small donation by PayPal:

http://www.prairienet.org/~mcc/AirportFTPSetup.html

Pagina 5 di 5