Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 6 Sep 2002 08:33:30 -0700
From:      "Drew Tomlinson" <drew@mykitchentable.net>
To:        "Dave Young" <dave@boldfish.com>
Cc:        "FreeBSD Questions" <questions@FreeBSD.ORG>
Subject:   Re: How To Set Passive FTP Port Range?
Message-ID:  <007a01c255ba$c10259f0$6e2a6ba5@TAGALONG>
References:  <Pine.LNX.4.44.0209060757120.22268-100000@hat-trick.boldfish.com>

next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message -----
From: "Dave Young" <dave@boldfish.com>
To: "Drew Tomlinson" <drew@mykitchentable.net>
Sent: Friday, September 06, 2002 8:06 AM


Thanks for your response.  If you're interested in a good explanation
of the difference between active and passive ftp, I found this link
helpful:

http://slacksite.com/other/ftp.html

> On Fri, 6 Sep 2002, Drew Tomlinson wrote:
>
> > I'm using the ftp daemon that ships with FBSD.  From the man page,
I
> > see that it uses ports 49152-65535 by default for passive ftp.  So
to
> > allow passive ftp, I have open this port range on my firewall.
>
> for outgoing ftp, yes. If you're setting up a ftp server on your
home
> machine, you just need to open tcp 21. Incoming ftp requesting come
in on
> that port.
>
> ftp client: uses a high port > 1024 to connecto to the server (low
port,
> 21)
>
> active ftp: ftp server tries to come back to the client and connect
(tcp
> 20 I think) if you use a stateless firewall, it's hard to deal with
>
>
> passive ftp is a client side work-around when the *client* doesn't
have a
> stateful firewall, since the server can't make a connection back to
> the client (ftp is a strange protocol) therefore the PORT and DATA
> commands come through on the initial >1024 to 21 connection.
>
>
> in a nutshell, I think you jsut need to open 21 to your machine. If
you
> have outgoing packet firewall rules, then you'll have an issue being
the
> *client* if you block outgoing connections > 1024

Because I'm running a server and need to allow passive client access,
I HAD to open ports 49152-65535 to make it work.  I discovered this by
logging deny entries to see on what ports the requests were coming,
reading the above article, and the ftpd man page.  Now my idea is to
limit that port range further if there is a significant security
advantage with little disadvantage.

Thanks again,

Drew

> hope that helps...
>
>
>
> Dave
>
>
>
>
>
>  > > I suspect
> there is a way to further limit this port range.  My > questions
are:
> >
> > 1. Can I further limit the port range?
> >
> > 2. Is there any significant security advantage by doing so?
> >
> > 3. Are there any disadvantages from limiting the port range
further?
> >
> > My particular system is just a small home system and will only
have a
> > very small number (like 10 or less) of ftp users at any given
time.
> >
> > Any insight or links to appropriate documents appreciated.
> >
> > Thanks,
> >
> > Drew
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-questions" in the body of the message
> >
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007a01c255ba$c10259f0$6e2a6ba5>