Date: Wed, 29 Mar 2000 09:16:45 -0300 (GMT) From: Fernando Schapachnik <fpscha@ns1.via-net-works.net.ar> To: durham@w2xo.pgh.pa.us (Jim Durham) Cc: freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules Message-ID: <200003291216.JAA25820@ns1.via-net-works.net.ar> In-Reply-To: <38E159DF.3D7E5DF6@w2xo.pgh.pa.us> from Jim Durham at "Mar 28, 0 08:18:23 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
What I have done is to configure FTPd to use ports between 40000 and 44999 (wu-ftpd allows it to be done easily; don't know others) and then: allow tcp from any to my_ip 40000-44999 in setup It's not the best, but still better than nothing. Anyway, remember that on passive FTP the client opens a TCP con. from >1024 to 21 and, the servers picks a port (in the mentioned range in this case), tells it to the client and then the client connects from >1024 to this port. Port 20 is using in normal FTP: the client connects from >1024 to 21 and the server connects from >1024 to 20 on the client for the data connection. (Warning: this is from the top of my head, I don't have "Building Internet FWs" or similar around right now.) Regards! En un mensaje anterior, Jim Durham escribió: > I'm looking for some input on how to set up > FTP through an IPFW firewall so that you don't > have to run passive mode. > > Passive mode makes things like building ports difficult. > > I believe that the problem is that the return connection > set up by an FTP server to the client comes from port 20. > To open up "any 20" to high port numbers on your > system seems like a problem to me. Is there a secure > way to do this? Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200003291216.JAA25820>