From owner-freebsd-net Tue Dec 10 11:29:51 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D1E8737B401 for ; Tue, 10 Dec 2002 11:29:49 -0800 (PST) Received: from tp.databus.com (p70-227.acedsl.com [66.114.70.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5436843EB2 for ; Tue, 10 Dec 2002 11:29:47 -0800 (PST) (envelope-from barney@tp.databus.com) Received: from tp.databus.com (localhost.databus.com [127.0.0.1]) by tp.databus.com (8.12.6/8.12.6) with ESMTP id gBAJTcMG068765; Tue, 10 Dec 2002 14:29:38 -0500 (EST) (envelope-from barney@tp.databus.com) Received: (from barney@localhost) by tp.databus.com (8.12.6/8.12.6/Submit) id gBAJTcut068764; Tue, 10 Dec 2002 14:29:38 -0500 (EST) (envelope-from barney) Date: Tue, 10 Dec 2002 14:29:38 -0500 From: Barney Wolff To: Peter Brezny Cc: Vincent Jardin , Barney Wolff , "Orville R. Weyrich_Jr" , freebsd-net@FreeBSD.ORG Subject: Re: passive mode ftp server, need stateful ipfw rule. Message-ID: <20021210192938.GA68635@tp.databus.com> References: <200212100831.45848.vjardin@wanadoo.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-Scanned-By: MIMEDefang 2.26 (www . roaringpenguin . com / mimedefang) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Dec 10, 2002 at 01:40:43PM -0500, Peter Brezny wrote: > How do you adjust the range of random tcp ports chosen if you are using the > stoc ftpd that comes with freebsd. sysctl net.inet.ip.portrange.hifirst and .hilast, set by default to 49152 and 65535. The ftpd manpage is slightly misleading here, as it states the defaults without noting that they can be modified. UTSL shows that ftpd binds to port 0 for PASV, thus leaving the choice up to the kernel. > Of course I'd like to be able to move to sftp or scp or https, but as an isp > with web hosting, the support overhead for all the designers to learn how to > do it would be a bit overwhelming. > > What about the -punch_fw option in natd? Has anyone used that before? I believe that only works on the client side, but I'd be happy to be shown to be in error. One could hack up the natd source to do the job, as all the pieces necessary are in there. But beware - a server must cope with tricks such as asking for a nonexistent file that looks like the response to a PASV command, and so on. Firewall vendors sometimes actually do earn their money. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message