From owner-freebsd-security Wed Mar 29 9:30:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.everyday.cx (cr308584-a.wlfdle1.on.wave.home.com [24.114.52.208]) by hub.freebsd.org (Postfix) with ESMTP id 54E7537B5FF for ; Wed, 29 Mar 2000 09:30:16 -0800 (PST) (envelope-from pccb@yahoo.com) Received: from bambam.objtech.com (bambam.objtech.com [192.168.111.1]) by mail.everyday.cx (Postfix) with ESMTP id 4015618F6 for ; Wed, 29 Mar 2000 12:30:09 -0500 (EST) Date: Wed, 29 Mar 2000 12:30:08 -0500 From: Pierre Chiu X-Mailer: The Bat! (v1.39) Educational Reply-To: Pierre Chiu Organization: ObjTech Corporation X-Priority: 3 (Normal) Message-ID: <4520.000329@yahoo.com> To: freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In FreeBSD 4.0, ipfw supports stateful inspection. I think this is very useful for running ftp server and would works for both active and passive setup. Can somebody share their rulesets with us? > What I have done is to configure FTPd to use ports between 40000 and > 44999 (wu-ftpd allows it to be done easily; don't know others) and then: > > allow tcp from any to my_ip 40000-44999 in setup > > It's not the best, but still better than nothing. > > Anyway, remember that on passive FTP the client opens a TCP con. from >>1024 to 21 and, the servers picks a port (in the mentioned range in > this case), tells it to the client and then the client connects from >>1024 to this port. > > Port 20 is using in normal FTP: the client connects from >1024 to 21 > and the server connects from >1024 to 20 on the client for the data > connection. > > (Warning: this is from the top of my head, I don't have "Building > Internet FWs" or similar around right now.) > > Regards! > > En un mensaje anterior, Jim Durham escribió: >> I'm looking for some input on how to set up >> FTP through an IPFW firewall so that you don't >> have to run passive mode. >> >> Passive mode makes things like building ports difficult. >> >> I believe that the problem is that the return connection >> set up by an FTP server to the client comes from port 20. >> To open up "any 20" to high port numbers on your >> system seems like a problem to me. Is there a secure >> way to do this? > > > > > Fernando P. Schapachnik > Administración de la red > VIA NET.WORKS ARGENTINA S.A. > fernando@via-net-works.net.ar > (54-11) 4323-3333 > > -- Pierre \\|// (o o) +-----------oOOo-(_)-oOOo----------------+ EMail : mailto:pccb(at)yahoo(dot)com PGPkey: http://www.everyday.cx/pgpkey.txt +========================================+ paradigm shift...without a clutch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message