From owner-freebsd-questions Thu Oct 17 7:37:30 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A981F37B401 for ; Thu, 17 Oct 2002 07:37:27 -0700 (PDT) Received: from blacklamb.mykitchentable.net (ekgr-dsl4-t113.citlink.net [207.173.249.113]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1180143E9E for ; Thu, 17 Oct 2002 07:37:27 -0700 (PDT) (envelope-from drew@mykitchentable.net) Received: from TAGALONG (unknown [165.107.42.110]) by blacklamb.mykitchentable.net (Postfix) with SMTP id 15016EE59E; Thu, 17 Oct 2002 07:37:26 -0700 (PDT) Message-ID: <01ae01c275ea$b65b77c0$6e2a6ba5@TAGALONG> From: "Drew Tomlinson" To: "Grant Cooper" , , References: <00b801c27183$bd3951e0$91fccecd@TCOOPER> Subject: Re: ipfw rules Date: Thu, 17 Oct 2002 07:37:25 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ----- Original Message ----- From: "Grant Cooper" To: ; Sent: Friday, October 11, 2002 5:10 PM Subject: Re: ipfw rules > I am having the same problem. I now just allow ftp from certain IP > address's. But doesn't the second rule, > > # /sbin/upfw 10001 allow tco from any 1024-65535 to any 1024-65535 setup > keep-state > > kind of beat's the purpose of a firewall. That's a lot of open ports. I > thought IPFW had a way to remember the ports opened by ftp and creates rules > dynamically based on the ports opened buy ftp. You're thinking of the "punch firewall" option in natd. If you're using the ftpd that comes with FBSD, you will see in the man page that the default port range is 49152-65535 so as I understand it, you do not need to open ports 1024-49151 as they will not be used. I am also told one can further limit the port range used by the default ftpd by modifying these sysctl vars: net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.hilast: 65535 However I have not actually tried this. I don't know if there's any significant security advantage in limiting the port range further as I have not seen any discussion on this. But I would suspect that it certainly wouldn't hurt to limit the port range to the number of expected concurrent ftp sessions, thus closing off more ports. Anyone else reading this, please correct me if I am mistaken. Thanks, Drew > ----- Original Message ----- > From: > To: > Sent: Friday, October 11, 2002 3:33 PM > Subject: re: ipfw rules > > > > i was finally able to get ftp (using passive ftp) to work through our > > firewall. these are the rules I had to add: > > > > # /sbin/ipfw 10000 allow tcp from any 1024-65535 to any 21 out setup > > keep-state > > # /sbin/upfw 10001 allow tco from any 1024-65535 to any 1024-65535 setup > > keep-state > > > > the first rule (10000) allows our server to connect via any high port to > any > > server out there on port 21(ftp). this is to initiate the 'control > > connection'. > > > > the second rule (10001) allows anyone to connect via high ports to and > from > > our server. this is for the data transfer part. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message