Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 25 Jan 2005 15:52:11 -0600
From:      "Andras Kende" <andras@kende.com>
To:        "'dick hoogendijk'" <dick@nagual.st>, <freebsd-questions@freebsd.org>
Subject:   RE: ipf rules for ftp server
Message-ID:  <20050125215200.35FA443D3F@mx1.FreeBSD.org>
In-Reply-To: <20050125213834.218bf53c.dick@nagual.st>
next in thread | previous in thread | raw e-mail | index | archive | help 


-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org] On Behalf Of dick hoogendijk
Sent: Tuesday, January 25, 2005 2:39 PM
To: freebsd-questions@freebsd.org
Subject: ipf rules for ftp server

I read the handbook and googled, but am still confused on the right
rules for my FTP server.

I use ipf. My ftp section in /etc/ipf.rules now is:

# FTP server out
pass out quick on rl0 proto tcp from any to any port = 21 flags S keep
state
pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep
state
# Allow in FTP from the Internet
pass in quick on rl0 proto tcp from any to any port = 21 flags S keep
state
pass in quick on rl0 proto tcp from any to any port = 20 flags S keep
state
## end

I don't feel these are right. But maybe they are. Can somebody give me
advice on this?

The ftp server needs to be up-and-running asap; my children want to
update there webpages ;-)

-- 
dick -- http://www.nagual.st/ -- PGP/GnuPG key: F86289CE
++ Running FreeBSD 4.10 ++ Debian GNU/Linux (Woody)
+ Nai tiruvantel ar vayuvantel i Valar tielyanna nu vilja
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"


Hello,

Something like this would work:

pass in quick on rl0 proto tcp from any to any port 50000 >< 51000 flags S
keep state #PASV FTP

pass in quick on rl0 proto tcp from any to any port = 21 #FTP ACTIVE


Also if you need passive ftp working you'll need to specify the passive port
range in ftp server config.(pure-ftpd.conf: PassivePortRange = 50000 51000)


Best regards,

Andras Kende
http://www.kende.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050125215200.35FA443D3F>