Date: Wed, 29 Mar 2000 12:30:08 -0500 From: Pierre Chiu <pccb@yahoo.com> To: freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules Message-ID: <4520.000329@yahoo.com>
next in thread | raw e-mail | index | archive | help
In FreeBSD 4.0, ipfw supports stateful inspection. I think this is very useful for running ftp server and would works for both active and passive setup. Can somebody share their rulesets with us? > What I have done is to configure FTPd to use ports between 40000 and > 44999 (wu-ftpd allows it to be done easily; don't know others) and then: > > allow tcp from any to my_ip 40000-44999 in setup > > It's not the best, but still better than nothing. > > Anyway, remember that on passive FTP the client opens a TCP con. from >>1024 to 21 and, the servers picks a port (in the mentioned range in > this case), tells it to the client and then the client connects from >>1024 to this port. > > Port 20 is using in normal FTP: the client connects from >1024 to 21 > and the server connects from >1024 to 20 on the client for the data > connection. > > (Warning: this is from the top of my head, I don't have "Building > Internet FWs" or similar around right now.) > > Regards! > > En un mensaje anterior, Jim Durham escribió: >> I'm looking for some input on how to set up >> FTP through an IPFW firewall so that you don't >> have to run passive mode. >> >> Passive mode makes things like building ports difficult. >> >> I believe that the problem is that the return connection >> set up by an FTP server to the client comes from port 20. >> To open up "any 20" to high port numbers on your >> system seems like a problem to me. Is there a secure >> way to do this? > > > > > Fernando P. Schapachnik > Administración de la red > VIA NET.WORKS ARGENTINA S.A. > fernando@via-net-works.net.ar > (54-11) 4323-3333 > > -- Pierre \\|// (o o) +-----------oOOo-(_)-oOOo----------------+ EMail : mailto:pccb(at)yahoo(dot)com PGPkey: http://www.everyday.cx/pgpkey.txt +========================================+ paradigm shift...without a clutch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4520.000329>