From owner-freebsd-security Wed Mar 29 4:16:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id B570737BB82 for ; Wed, 29 Mar 2000 04:16:35 -0800 (PST) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id JAA25820; Wed, 29 Mar 2000 09:16:45 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200003291216.JAA25820@ns1.via-net-works.net.ar> Subject: Re: FTP with firewall rules In-Reply-To: <38E159DF.3D7E5DF6@w2xo.pgh.pa.us> from Jim Durham at "Mar 28, 0 08:18:23 pm" To: durham@w2xo.pgh.pa.us (Jim Durham) Date: Wed, 29 Mar 2000 09:16:45 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What I have done is to configure FTPd to use ports between 40000 and 44999 (wu-ftpd allows it to be done easily; don't know others) and then: allow tcp from any to my_ip 40000-44999 in setup It's not the best, but still better than nothing. Anyway, remember that on passive FTP the client opens a TCP con. from >1024 to 21 and, the servers picks a port (in the mentioned range in this case), tells it to the client and then the client connects from >1024 to this port. Port 20 is using in normal FTP: the client connects from >1024 to 21 and the server connects from >1024 to 20 on the client for the data connection. (Warning: this is from the top of my head, I don't have "Building Internet FWs" or similar around right now.) Regards! En un mensaje anterior, Jim Durham escribió: > I'm looking for some input on how to set up > FTP through an IPFW firewall so that you don't > have to run passive mode. > > Passive mode makes things like building ports difficult. > > I believe that the problem is that the return connection > set up by an FTP server to the client comes from port 20. > To open up "any 20" to high port numbers on your > system seems like a problem to me. Is there a secure > way to do this? Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message