Port Forwarding wu-ftpd from Behind a Linksys Router Mini-Howto

I had a bit of education today attempting to get a friend’s Linksys Router to forward her Linux box’s WuFTP server
to her external IP Address. After I STFW’d, I decided that there really wasn’t a clear guide on how to do it. So,
I’ll explain what I did to get it to work.

In the beginning…

Before you start forwarding services to the Internet INSURE THAT WUFTPD is up to date. Wuftpd has had several remotely exploitable bugs. The firewall won’t prevent the kiddies from owning you’re linux box if wuftpd is vulnerable as your allowing that service to be accessible to the world.

In addition, be sure to disable anonymous access. You don’t want your server to become a warez dump site.

Using A Port Other than 21

The first thing that I learned was that the Internet provider seemed to be blocking incoming traffic to port 21. So, check that first, and if that’s the case choose another obscure port port.
I happened to pick an obscure port, 8082. First off, I added 8082 to the /etc/services file with the following command.

localhost> echo "ftp2 8082" >> /etc/services


Then, I added the following lines to /etc/xinetd.conf:

service ftp2
{
      socket_type = stream
      protocol = tcp
      wait = no
      user = root

      server = /usr/sbin/in.ftpd
      server_args = -a -l -i -o -t 300 -T 300 -W
}

The most important thing is that the service name (ftp2 here) matches a line in your /etc/services file with the port you expect. The second most important thing is that you have the -a in your server_args list to tell wuftpd to read /etc/ftpaccess

Configuring /etc/ftpaccess

You’ll need to configure passive mode in /etc/ftpaccess for wuftpd. I added the following lines to /etc/ftpaccess.

passive address (YOUR FIREWALL'S WAN IP ADDRESS HERE) 0.0.0.0/0
passive ports 0.0.0.0/0 40000 41000

pasv-allow all 192.168.0.0/24
port-allow all 192.168.0.0/24

You can limit or increase the passive port range, but remember, you must port forward the passive port range (40000 41000) from your router to your linux box.

Port Forwarding with the Linksys Router (BEFSR11, BEFSR41, BEFSR81)

First,You’ll need to know your Linux box’s IP Address here. On most current distros, it is stored in /etc/dhcpcd/dhcpcd-eth0.info. On distros using pump, you’ll need to do a pump -s
Make sure that you have the latest firmware from Linksys. The latest version appears to be 1.40.2 and is available here. It is generally a good idea to keep the firmware up-to-date because the newest firmware fixes functional and security-related issues with your router.

Next, from behind the firewall, fire-up your favorite Internet Browser (ie Galeon), and configure the Linksys firewall by going to http://192.168.1.1. The user name is “admin”, and the password you should have changed already. Once you’re at the Router Configuration page, go to “Advanced”, and then “Port Forwarding”.

Optionally, you can change your MTU size which will cut down on packet loss. It is theorized that the best size is 1000. The MTU option is under Filters on the Advanced tabs.

Passive Mode Clients

If you’re using CuteFTP or WSFTP, be sure to enable passive mode or you won’t be able to do a directory listing or transfer any files. I happen to work on an AIX box, and the default ftp command doesn’t support passive mode. Thankfully, someone at Indiana University has compiled pftp for AIX which supports passive mode. The 32-bit binary is here, 64-bit is here. So, now I can ftp from an AIX 4.3 box to a Redhat Linux 7.1 box behind a Linksys BEFSR11 Router.