Date: Wed, 29 Dec 2004 07:33:23 -0500 From: asym <asym@rfnj.org> To: Grant Peel <gpeel@thenetnow.com>, <freebsd-ipfw@freebsd.org> Subject: Re: New IPFW Setup. Message-ID: <6.2.0.14.2.20041229071517.034c7830@mail.rfnj.org> In-Reply-To: <008901c4ed9e$44478510$6401a8c0@GRANT> References: <008901c4ed9e$44478510$6401a8c0@GRANT>
next in thread | previous in thread | raw e-mail | index | archive | help
At 07:02 12/29/2004, Grant Peel wrote: [snip] >00170 allow tcp from any to any 1024-65534 in setup # ftp ports. Seems >to negate alot of the firewall ??? > >Of special concern to me is line 170 ... added to allow ftp. Any ideas here? You have two options here if you really need FTP, more otherwise. 1. Configure your FTP server to only listen on a limited port range such as 5000-5100. Keep in mind you don't need a lot of ports -- in fact you only need enough to cover the maximum number of connections you allow simultaneously from a single host. Clients with different IP addresses can connect to the same port, or at least, they should be able to in a reasonable ftpd. I haven't tested any ftpds to see if this is the case, if it isn't in your ftpd of choice, then you want enough ports for the total number of simultaneous connections you allow. 2. Use natd which supports ipfw "punch through." This will punch holes in your ipfw rules, adding things like "allow tcp from a.b.c.d to w.x.y.z port" for the duration of the ftp data session, and remove them when the connection dies. Read the natd page for more information on this. 3. Force your ftpd to use passive mode. This will cause it to not work for clients behind firewalls that aren't ftp protocol aware. #1 is the generally implemented option and is fairly secure. If you don't really need ftp, and I hope you don't, there are many other ways to share files on a machine that are more firewall friendly. 1. http GET for downloads, http POST for uploads, htaccess for user/passwords, etc. Apache can pretty much replace any ftp server without too much work involved, though there is a limit to how much data can be posted. 2. scp/sftp. These use ssh to copy files. They are significantly slower than ftp due to the encryption overhead, but they only require the ssh port to be open. 3. samba. Only 1-2 ports required, no passwd entries needed as with scp/sftp, and no file size limits as with http. Any windows client will be able to natively access the machine, provided the client ports are not blocked, which many ISPs do these days. Other systems can use samba, smbfs, etc. 4. cvs. Better than samba, though it'll take a while to setup, there's no reason you can't use cvs as a fileserver. Only requires one port, has access controls built in, and the versioning/rollback features may be useful to you depending on your needs. 5. nfs and a whole host of other options that I don't have the time or energy to get into. If you insist on using ftp itself, do yourself a favor and use something like proftpd unless you like screwing around with pam and/or having ftp-only users in your passwd file, with the associated folderol that goes along with this. I mention proftpd because it's what I use when I need a for-real ftp server. It's in ports.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.2.0.14.2.20041229071517.034c7830>