From owner-freebsd-security Thu Oct 11 8:52:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from medialab.lostboys.nl (medialab.lostboys.nl [194.109.72.254]) by hub.freebsd.org (Postfix) with ESMTP id B48D637B408 for ; Thu, 11 Oct 2001 08:52:39 -0700 (PDT) Received: from buur.medialab.lostboys.nl (root@buur.medialab.lostboys.nl [194.109.110.8]) by medialab.lostboys.nl (8.9.3/8.9.3) with ESMTP id RAA20936; Thu, 11 Oct 2001 17:58:02 +0200 (CEST) Received: from darkroom.medialab.lostboys.nl (ip-037.medialab.lostboys.nl [194.109.110.37]) by buur.medialab.lostboys.nl (8.9.3/8.9.3/Debian 8.9.3-21) with ESMTP id RAA29064; Thu, 11 Oct 2001 17:53:26 +0200 Received: by darkroom.medialab.lostboys.nl (Postfix, from userid 1000) id DB1A315F7; Thu, 11 Oct 2001 17:52:08 +0200 (CEST) Date: Thu, 11 Oct 2001 17:52:08 +0200 From: Martijn Lina To: Peter Pentchev Cc: freebsd-security@freebsd.org Subject: Re: firewall Message-ID: <20011011175208.B3267@medialab.lostboys.nl> Mail-Followup-To: Peter Pentchev , freebsd-security@freebsd.org References: <5.1.0.14.0.20011011094352.00b022e8@rfnj.org> <20011011100410.G7007-100000@mail.wlcg.com> <20011011102432.B57251@squall.waterspout.com> <20011011182601.D6135@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VbJkn9YxBvnuCH5J" Content-Disposition: inline In-Reply-To: <20011011182601.D6135@straylight.oblivion.bg> User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Once upon a 11-10-2001, Peter Pentchev hit keys in the following order: >=20 > I believe that they are discussing the case of a server being NAT'd. > In that case, the NAT machine has to allow for connections to ports > 1024 > on the server to allow PASV FTP to work. Depends on which ftp daemon you're using. The default FreeBSD ftpd only ope= ns a smaller port range than just everything above 1024, according to the man pa= ge: "In previous versions of ftpd, when a passive mode client requested a data connection to the server, the server would use data ports in the range 1024..4999. Now, by default, the server will use data ports in the range 49152..65535." It would be nice if the range could actually be specified through options. = My NAT just portmaps to ports below 49152, which gives me enough simultanious connections through NAT. Would it be a good solution to redirect the passive ftp port range directly to the box running ftpd (or to a ip alias in a jail= , in my home situation) with NAT and drop all connections above 49151 to other i= p#s? martijn --VbJkn9YxBvnuCH5J Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE7xcAow/5eikYCPQYRAofgAJ41ennQk/aEan3PlH9CvzwpSkOZngCfcOz2 ChGx6XZTfgqbgnAIE0/ILig= =JpCN -----END PGP SIGNATURE----- --VbJkn9YxBvnuCH5J-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message