Date: Thu, 11 Oct 2001 17:52:08 +0200 From: Martijn Lina <martijn@medialab.lostboys.nl> To: Peter Pentchev <roam@ringlet.net> Cc: freebsd-security@freebsd.org Subject: Re: firewall Message-ID: <20011011175208.B3267@medialab.lostboys.nl> In-Reply-To: <20011011182601.D6135@straylight.oblivion.bg> References: <5.1.0.14.0.20011011094352.00b022e8@rfnj.org> <20011011100410.G7007-100000@mail.wlcg.com> <20011011102432.B57251@squall.waterspout.com> <20011011182601.D6135@straylight.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Once upon a 11-10-2001, Peter Pentchev hit keys in the following order: > > I believe that they are discussing the case of a server being NAT'd. > In that case, the NAT machine has to allow for connections to ports > 1024 > on the server to allow PASV FTP to work. Depends on which ftp daemon you're using. The default FreeBSD ftpd only opens a smaller port range than just everything above 1024, according to the man page: "In previous versions of ftpd, when a passive mode client requested a data connection to the server, the server would use data ports in the range 1024..4999. Now, by default, the server will use data ports in the range 49152..65535." It would be nice if the range could actually be specified through options. My NAT just portmaps to ports below 49152, which gives me enough simultanious connections through NAT. Would it be a good solution to redirect the passive ftp port range directly to the box running ftpd (or to a ip alias in a jail, in my home situation) with NAT and drop all connections above 49151 to other ip#s? martijn [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE7xcAow/5eikYCPQYRAofgAJ41ennQk/aEan3PlH9CvzwpSkOZngCfcOz2 ChGx6XZTfgqbgnAIE0/ILig= =JpCN -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011011175208.B3267>