Date: Tue, 13 Mar 2001 03:26:10 -0600 From: Mike Meyer <mwm@mired.org> To: Kent Stewart <kstewart@urx.com> Cc: questions@freebsd.org Subject: Re: ipfw rules for incoming passive mode ftp connections Message-ID: <15021.59314.727992.628569@guru.mired.org> In-Reply-To: <13608934@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Kent Stewart <kstewart@urx.com> types: > If you have a pasiv ftpd setup, how do you control what port something > like a windows ftp client can use with ipfw. The range I am seeing is > way beyond what is suggested and you know that people are going to > blame the FreeBSD ftp server when they get the terrible response that > produces. You don't need to control what port the client uses for passive FTP, you need to control what port the server uses. With active FTP, the client sends a request to the server asking for data, and telling the server what port to send it to. The server opens a second connection back to the client and sends the data. This causes headaches for most firewalls around the client. With passive FTP, the client sends a request to the server asking for data, and the SERVER tells the client what port to get it from. The client opens the second connection to the server and gets the data. This goes through firewalls around the client just fine, which is why it became popular in the early 90s. As you're discovering, the headaches that active FTP had around the client now exist around the server. But there are fewer servers, and they are presumably run by smarter people, so it can be dealt with. Commercial firewalls deal with this by monitoring connections that came to port the ftp port on either side of them, parsing the commands for port numbers and adding the appropriate dynamic rules. You ought to be able to make ftpd do passive IP from ports 49152 - 65535. In fact, it ought to do that by default. Since it's not, it's probably doing 1024 - 49151. So long as you have any real services running in that range (X comes immediately to mind, and possibly some of the rpc related things), you should be ok. <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15021.59314.727992.628569>