Date: Fri, 7 Feb 2014 16:50:59 +0100 (CET) From: =?ISO-8859-1?Q?Trond_Endrest=F8l?= <Trond.Endrestol@fagskolen.gjovik.no> To: g8kbvdave@googlemail.com Cc: freebsd-questions@freebsd.org Subject: Re: FTPD port trouble. Message-ID: <alpine.BSF.2.00.1402071619170.90985@mail.fig.ol.no> In-Reply-To: <52F4E70D.11252.1381412@g8kbvdave.gmail.com> References: <52F4E70D.11252.1381412@g8kbvdave.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 7 Feb 2014 14:00-0000, g8kbvdave@googlemail.com wrote:
> Hi All.
>
> How "EXACTLY" (sorry) Do I specify, the main connection port number for FTPd
> (enabled in inetd.conf, and inetd enabled in rc.conf) to listen on, and the range
> of ports to use for PASV mode?
In /etc/services, create your own definition:
ftp-local 2121/tcp #File Transfer [Control] (Local Override)
In /etc/inetd.conf, add/modify the appropriate lines:
ftp-local stream tcp nowait root /usr/libexec/ftpd ftpd -l
ftp-local stream tcp6 nowait root /usr/libexec/ftpd ftpd -l
According to ftpd(8) and ip(4), ftpd does by default use
IP_PORTRANGE_HIGH which can be adjusted by setting
net.inet.ip.portrange.hifirst and net.inet.ip.portrange.hilast on the
command line for immediate effect and/or permanently in
/etc/sysctl.conf.
On one of my 9.2 systems I have:
net.inet.ip.portrange.hifirst: 49152
net.inet.ip.portrange.hilast: 65535
Other parts of the jail may use these sysctls, so be careful.
> What parameter (.conf) files do I need to edit and/or create to do that in the
> server jail, also the exact sytax of what to put in there. (The manpages for ftpd
> leave me stone cold, as usual.)
I believe you can use /etc/sysctl.conf in each jail.
> I've a jailed web server running now on FBSSD 9.2, it seems stable and does the
> job fine.
>
> The same jail also has the OS's own FTPD service running, started via inetd.
> There are three FTP users, that are chrooted to the directories needed within the
> jail, thanks to entries in /etc/ftpchroot in the jail.
>
> I have other machines on the same local LAN segment automaticaly updating
> data on the web pages also just fine via FTP, using either active or passive
> mode, as they see fit.
>
> However, I wish to be able to access those same directories and files via FTP
> over a SSHD session (typicaly using PuTTY on Windows, and a FileZilla client) for
> remote admin needs, to that end, there is a general site maintenance FTP user.
One solution, unless you want to go the POSIX ACL route, is to create
a special group for the maintenance user in /etc/groups, set the
setgid bit on the chrooted directories,
chmod -R g+s some-dir
and assign at least 0770 to each directory, and at least 0660 to each
file, these commands only modify the group access rights,
find some-dir -type d -exec chmod -R g+rwx {} \;
find some-dir -type f -exec chmod -R g+rw {} \;
and assign the special group to each file and directory,
chgrp -R specialgroup some-dir
You need to modify the users umask to 002 for this to work properly
afterwards.
> (I usually configure such machines (on other OS's) to use "High" ports, way up in
> the dynamic range. It's never a problem, so long as both the server and client
> agree on the same ports of course.)
>
> I've spent an inordinate ammount of time getting nowhere with Google, as it
> seems all the realy useful FreeBSD forum archives are long gone. (404 errors.
> Why?) So I need help from the collective please.
>
> (I also still can't get onto the IRC channel(s) for FreeBSD, but that's another
> issue.)
>
> I can already do what I want just fine, when physically connected to the LAN
> with either of the portable PC's I often carry with me, so it's just those blessed
> port numbers I need to nail to the floor, so I can tunnel them via the SSH link.
>
> Best Regards, and cheers to All.
>
> Dave B.
>
> PS: If anyone knows of a good blow by blow walk through, showing how to
> setup Pure-FTPD correctly (other than just use it's basic install) not needing SQL
> databases (Why complicate things?) I'd like to know for the future.
>
> Its documentation may be plentiful, but its pure crud to read, even when
> imported into a decent reader so it doesn't hurt the eyes! :) Plus I know zilch
> re SQL databases, so that's a non starter for me anyway.
>
> Respond off list if you feel the need.
--
+-------------------------------+------------------------------------+
| Vennlig hilsen, | Best regards, |
| Trond Endrestøl, | Trond Endrestøl, |
| IT-ansvarlig, | System administrator, |
| Fagskolen Innlandet, | Gjøvik Technical College, Norway, |
| tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, |
| sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. |
+-------------------------------+------------------------------------+
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1402071619170.90985>