From owner-freebsd-questions Tue Mar 13 1:26:14 2001 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-65-26-235-186.mmcable.com [65.26.235.186]) by hub.freebsd.org (Postfix) with SMTP id A06A937B718 for ; Tue, 13 Mar 2001 01:26:11 -0800 (PST) (envelope-from mwm@mired.org) Received: (qmail 69809 invoked by uid 100); 13 Mar 2001 09:26:10 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15021.59314.727992.628569@guru.mired.org> Date: Tue, 13 Mar 2001 03:26:10 -0600 To: Kent Stewart Cc: questions@freebsd.org Subject: Re: ipfw rules for incoming passive mode ftp connections In-Reply-To: <13608934@toto.iv> X-Mailer: VM 6.89 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Kent Stewart types: > If you have a pasiv ftpd setup, how do you control what port something > like a windows ftp client can use with ipfw. The range I am seeing is > way beyond what is suggested and you know that people are going to > blame the FreeBSD ftp server when they get the terrible response that > produces. You don't need to control what port the client uses for passive FTP, you need to control what port the server uses. With active FTP, the client sends a request to the server asking for data, and telling the server what port to send it to. The server opens a second connection back to the client and sends the data. This causes headaches for most firewalls around the client. With passive FTP, the client sends a request to the server asking for data, and the SERVER tells the client what port to get it from. The client opens the second connection to the server and gets the data. This goes through firewalls around the client just fine, which is why it became popular in the early 90s. As you're discovering, the headaches that active FTP had around the client now exist around the server. But there are fewer servers, and they are presumably run by smarter people, so it can be dealt with. Commercial firewalls deal with this by monitoring connections that came to port the ftp port on either side of them, parsing the commands for port numbers and adding the appropriate dynamic rules. You ought to be able to make ftpd do passive IP from ports 49152 - 65535. In fact, it ought to do that by default. Since it's not, it's probably doing 1024 - 49151. So long as you have any real services running in that range (X comes immediately to mind, and possibly some of the rpc related things), you should be ok. http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message