Date: Thu, 11 Oct 2001 17:52:08 +0200 From: Martijn Lina <martijn@medialab.lostboys.nl> To: Peter Pentchev <roam@ringlet.net> Cc: freebsd-security@freebsd.org Subject: Re: firewall Message-ID: <20011011175208.B3267@medialab.lostboys.nl> In-Reply-To: <20011011182601.D6135@straylight.oblivion.bg> References: <5.1.0.14.0.20011011094352.00b022e8@rfnj.org> <20011011100410.G7007-100000@mail.wlcg.com> <20011011102432.B57251@squall.waterspout.com> <20011011182601.D6135@straylight.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
--VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Once upon a 11-10-2001, Peter Pentchev hit keys in the following order: >=20 > I believe that they are discussing the case of a server being NAT'd. > In that case, the NAT machine has to allow for connections to ports > 1024 > on the server to allow PASV FTP to work. Depends on which ftp daemon you're using. The default FreeBSD ftpd only ope= ns a smaller port range than just everything above 1024, according to the man pa= ge: "In previous versions of ftpd, when a passive mode client requested a data connection to the server, the server would use data ports in the range 1024..4999. Now, by default, the server will use data ports in the range 49152..65535." It would be nice if the range could actually be specified through options. = My NAT just portmaps to ports below 49152, which gives me enough simultanious connections through NAT. Would it be a good solution to redirect the passive ftp port range directly to the box running ftpd (or to a ip alias in a jail= , in my home situation) with NAT and drop all connections above 49151 to other i= p#s? martijn --VbJkn9YxBvnuCH5J Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE7xcAow/5eikYCPQYRAofgAJ41ennQk/aEan3PlH9CvzwpSkOZngCfcOz2 ChGx6XZTfgqbgnAIE0/ILig= =JpCN -----END PGP SIGNATURE----- --VbJkn9YxBvnuCH5J-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011011175208.B3267>