From owner-freebsd-questions Fri Sep 6 8:33:37 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B03237B400 for ; Fri, 6 Sep 2002 08:33:32 -0700 (PDT) Received: from blacklamb.mykitchentable.net (207-173-227-236.bras01.elk.ca.frontiernet.net [207.173.227.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 89DB943E65 for ; Fri, 6 Sep 2002 08:33:31 -0700 (PDT) (envelope-from drew@mykitchentable.net) Received: from TAGALONG (unknown [165.107.42.110]) by blacklamb.mykitchentable.net (Postfix) with SMTP id BBE78EE5DB; Fri, 6 Sep 2002 08:33:30 -0700 (PDT) Message-ID: <007a01c255ba$c10259f0$6e2a6ba5@TAGALONG> From: "Drew Tomlinson" To: "Dave Young" Cc: "FreeBSD Questions" References: Subject: Re: How To Set Passive FTP Port Range? Date: Fri, 6 Sep 2002 08:33:30 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ----- Original Message ----- From: "Dave Young" To: "Drew Tomlinson" Sent: Friday, September 06, 2002 8:06 AM Thanks for your response. If you're interested in a good explanation of the difference between active and passive ftp, I found this link helpful: http://slacksite.com/other/ftp.html > On Fri, 6 Sep 2002, Drew Tomlinson wrote: > > > I'm using the ftp daemon that ships with FBSD. From the man page, I > > see that it uses ports 49152-65535 by default for passive ftp. So to > > allow passive ftp, I have open this port range on my firewall. > > for outgoing ftp, yes. If you're setting up a ftp server on your home > machine, you just need to open tcp 21. Incoming ftp requesting come in on > that port. > > ftp client: uses a high port > 1024 to connecto to the server (low port, > 21) > > active ftp: ftp server tries to come back to the client and connect (tcp > 20 I think) if you use a stateless firewall, it's hard to deal with > > > passive ftp is a client side work-around when the *client* doesn't have a > stateful firewall, since the server can't make a connection back to > the client (ftp is a strange protocol) therefore the PORT and DATA > commands come through on the initial >1024 to 21 connection. > > > in a nutshell, I think you jsut need to open 21 to your machine. If you > have outgoing packet firewall rules, then you'll have an issue being the > *client* if you block outgoing connections > 1024 Because I'm running a server and need to allow passive client access, I HAD to open ports 49152-65535 to make it work. I discovered this by logging deny entries to see on what ports the requests were coming, reading the above article, and the ftpd man page. Now my idea is to limit that port range further if there is a significant security advantage with little disadvantage. Thanks again, Drew > hope that helps... > > > > Dave > > > > > > > > I suspect > there is a way to further limit this port range. My > questions are: > > > > 1. Can I further limit the port range? > > > > 2. Is there any significant security advantage by doing so? > > > > 3. Are there any disadvantages from limiting the port range further? > > > > My particular system is just a small home system and will only have a > > very small number (like 10 or less) of ftp users at any given time. > > > > Any insight or links to appropriate documents appreciated. > > > > Thanks, > > > > Drew > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message