Is there any way to learn the port range of "Passive" FTP Server which is not in my authority. It is possible to set the range within configuration file. For example within vsftpd.conf :
pasv_min_port=25000
pasv_max_port=25500
#pasv_min_port=0
#pasv_max_port=0 (any port)
Since I want to apply a very restricted OUTPUT firewall (iptables) on my Linux Terminal Server, i need to know remote server's port range. Is FTP supports expose of port-range information, that clients can use of?
I am also open for any other possible solutions except the following one where i assume the server IP address as 10.1.1.1 :
-A OUTPUT -d 10.1.1.1 -j ACCEPT
Thanks for your interest...
Regards
EDIT
Thanks for @aaron-copley, @martin-prikryl, @user3590719
Answer for main question, FTP doesn't expose passive port range to the clients.
Solution of need is loading netfilter connection tracking module for FTP.
ip_conntrack_ftp (Module alias for CentOS/Red Hat : nf_conntrack_ftp)
Working example config for Red Hat 7:
/etc/sysconfig/iptables-config
IPTABLES_MODULES="nf_conntrack_ftp"
iptables rules
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 10.1.1.1/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -j DROP
Finally, manualy load module or restart iptables.service.
I found this in a previous answer
Setting up Linux iptables for FTP PASV mode connections
This: https://major.io/2007/07/01/active-ftp-connections-through-iptables/
and This:
https://www.cyberciti.biz/tips/how-do-i-use-iptables-connection-tracking-feature.html
In all of them you are going to want to use the ip_conntrack_ftp and the related rule in your iptables rules to keep the passive connections open.
The passive port range is not publicly announced by an FTP server.
All you can do is to automate parallel transfers of many files to/from the server and deduce the range from the ports used for these transfers.