From owner-freebsd-security Fri Aug 4 06:10:37 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id GAA10272 for security-outgoing; Fri, 4 Aug 1995 06:10:37 -0700 Received: (from pst@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id GAA10264 for security; Fri, 4 Aug 1995 06:10:37 -0700 Date: Fri, 4 Aug 1995 06:10:37 -0700 From: Paul Traina Message-Id: <199508041310.GAA10264@freefall.cdrom.com> To: security Subject: FTP data port restrictions Sender: security-owner@FreeBSD.org Precedence: bulk While looking at Nick Sayer's home page, I caught his reference to FTP data port quarantines, and after thinking about it a bit, decided that this is a good idea, and by default, FreeBSD's FTP client and daemon programs should try to always use a restricted range of data ports (40000-44999) for transfers. If you have a FTP server, you would like your FTP server to restrict its port range to a safe area when clients ask for a passive FTP connection, so you don't have to expose all of your >1023 ports on this machine. If you have a FTP client, you would like to be able to restrict the ports you request to a given "safe" range in case you're talking to some mean old nasty FTP server that doesn't support passive mode (because THEIR sysadmins are as paranoid as OUR sysadmins). The basic idea here is that we leave 40000-44999 open, since no known sane services reside there (yeah, sure...) at the firewalls, and can therefore button down everything else. This in no way precludes passive mode transfers, rather it extends the usablity of FTP clients and FTP servers in light of passive and non-passive mode transfers. Would someone care to check over my diffs for any glaring errors? They're freefall: ~pst/ftp-diffs Still TODO: ncftp version and documentation