From owner-freebsd-questions@FreeBSD.ORG Fri Feb 7 15:51:04 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E3E807B2 for ; Fri, 7 Feb 2014 15:51:04 +0000 (UTC) Received: from smtp.fagskolen.gjovik.no (smtp.fagskolen.gjovik.no [IPv6:2001:700:1100:1:200:ff:fe00:b]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 263C91B5D for ; Fri, 7 Feb 2014 15:51:03 +0000 (UTC) Received: from mail.fig.ol.no (localhost [127.0.0.1]) by mail.fig.ol.no (8.14.7/8.14.7) with ESMTP id s17Foxm3033179 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 7 Feb 2014 16:50:59 +0100 (CET) (envelope-from trond@fagskolen.gjovik.no) Received: from localhost (trond@localhost) by mail.fig.ol.no (8.14.7/8.14.7/Submit) with ESMTP id s17Foxwh033176; Fri, 7 Feb 2014 16:50:59 +0100 (CET) (envelope-from trond@fagskolen.gjovik.no) X-Authentication-Warning: mail.fig.ol.no: trond owned process doing -bs Date: Fri, 7 Feb 2014 16:50:59 +0100 (CET) From: =?ISO-8859-1?Q?Trond_Endrest=F8l?= Sender: Trond.Endrestol@fagskolen.gjovik.no To: g8kbvdave@googlemail.com Subject: Re: FTPD port trouble. In-Reply-To: <52F4E70D.11252.1381412@g8kbvdave.gmail.com> Message-ID: References: <52F4E70D.11252.1381412@g8kbvdave.gmail.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) Organization: Fagskolen Innlandet OpenPGP: url=http://fig.ol.no/~trond/trond.key MIME-Version: 1.0 Content-ID: X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=unavailable version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail.fig.ol.no Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Content-Transfer-Encoding: 8BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Feb 2014 15:51:05 -0000 On Fri, 7 Feb 2014 14:00-0000, g8kbvdave@googlemail.com wrote: > Hi All. > > How "EXACTLY" (sorry) Do I specify, the main connection port number for FTPd > (enabled in inetd.conf, and inetd enabled in rc.conf) to listen on, and the range > of ports to use for PASV mode? In /etc/services, create your own definition: ftp-local 2121/tcp #File Transfer [Control] (Local Override) In /etc/inetd.conf, add/modify the appropriate lines: ftp-local stream tcp nowait root /usr/libexec/ftpd ftpd -l ftp-local stream tcp6 nowait root /usr/libexec/ftpd ftpd -l According to ftpd(8) and ip(4), ftpd does by default use IP_PORTRANGE_HIGH which can be adjusted by setting net.inet.ip.portrange.hifirst and net.inet.ip.portrange.hilast on the command line for immediate effect and/or permanently in /etc/sysctl.conf. On one of my 9.2 systems I have: net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.hilast: 65535 Other parts of the jail may use these sysctls, so be careful. > What parameter (.conf) files do I need to edit and/or create to do that in the > server jail, also the exact sytax of what to put in there. (The manpages for ftpd > leave me stone cold, as usual.) I believe you can use /etc/sysctl.conf in each jail. > I've a jailed web server running now on FBSSD 9.2, it seems stable and does the > job fine. > > The same jail also has the OS's own FTPD service running, started via inetd. > There are three FTP users, that are chrooted to the directories needed within the > jail, thanks to entries in /etc/ftpchroot in the jail. > > I have other machines on the same local LAN segment automaticaly updating > data on the web pages also just fine via FTP, using either active or passive > mode, as they see fit. > > However, I wish to be able to access those same directories and files via FTP > over a SSHD session (typicaly using PuTTY on Windows, and a FileZilla client) for > remote admin needs, to that end, there is a general site maintenance FTP user. One solution, unless you want to go the POSIX ACL route, is to create a special group for the maintenance user in /etc/groups, set the setgid bit on the chrooted directories, chmod -R g+s some-dir and assign at least 0770 to each directory, and at least 0660 to each file, these commands only modify the group access rights, find some-dir -type d -exec chmod -R g+rwx {} \; find some-dir -type f -exec chmod -R g+rw {} \; and assign the special group to each file and directory, chgrp -R specialgroup some-dir You need to modify the users umask to 002 for this to work properly afterwards. > (I usually configure such machines (on other OS's) to use "High" ports, way up in > the dynamic range. It's never a problem, so long as both the server and client > agree on the same ports of course.) > > I've spent an inordinate ammount of time getting nowhere with Google, as it > seems all the realy useful FreeBSD forum archives are long gone. (404 errors. > Why?) So I need help from the collective please. > > (I also still can't get onto the IRC channel(s) for FreeBSD, but that's another > issue.) > > I can already do what I want just fine, when physically connected to the LAN > with either of the portable PC's I often carry with me, so it's just those blessed > port numbers I need to nail to the floor, so I can tunnel them via the SSH link. > > Best Regards, and cheers to All. > > Dave B. > > PS: If anyone knows of a good blow by blow walk through, showing how to > setup Pure-FTPD correctly (other than just use it's basic install) not needing SQL > databases (Why complicate things?) I'd like to know for the future. > > Its documentation may be plentiful, but its pure crud to read, even when > imported into a decent reader so it doesn't hurt the eyes! :) Plus I know zilch > re SQL databases, so that's a non starter for me anyway. > > Respond off list if you feel the need. -- +-------------------------------+------------------------------------+ | Vennlig hilsen, | Best regards, | | Trond Endrestøl, | Trond Endrestøl, | | IT-ansvarlig, | System administrator, | | Fagskolen Innlandet, | Gjøvik Technical College, Norway, | | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | +-------------------------------+------------------------------------+