From owner-freebsd-questions Fri Sep 6 8: 8: 5 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC8DD37B400 for ; Fri, 6 Sep 2002 08:08:01 -0700 (PDT) Received: from pacific.boldfish.com (mail.boldfish.com [65.206.203.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 459B443E4A for ; Fri, 6 Sep 2002 08:08:01 -0700 (PDT) (envelope-from dave@boldfish.com) Received: from hat-trick.boldfish.com (hat-trick.boldfish.com [192.168.0.10]) by pacific.boldfish.com (8.11.6/8.11.1) with ESMTP id g86F7EY32561; Fri, 6 Sep 2002 08:07:14 -0700 Date: Fri, 6 Sep 2002 08:06:04 -0700 (PDT) From: Dave Young To: Drew Tomlinson Cc: FreeBSD Questions Subject: Re: How To Set Passive FTP Port Range? In-Reply-To: <002901c255b5$4b7cb220$6e2a6ba5@TAGALONG> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 6 Sep 2002, Drew Tomlinson wrote: > I'm using the ftp daemon that ships with FBSD. From the man page, I > see that it uses ports 49152-65535 by default for passive ftp. So to > allow passive ftp, I have open this port range on my firewall. for outgoing ftp, yes. If you're setting up a ftp server on your home machine, you just need to open tcp 21. Incoming ftp requesting come in on that port. ftp client: uses a high port > 1024 to connecto to the server (low port, 21) active ftp: ftp server tries to come back to the client and connect (tcp 20 I think) if you use a stateless firewall, it's hard to deal with passive ftp is a client side work-around when the *client* doesn't have a stateful firewall, since the server can't make a connection back to the client (ftp is a strange protocol) therefore the PORT and DATA commands come through on the initial >1024 to 21 connection. in a nutshell, I think you jsut need to open 21 to your machine. If you have outgoing packet firewall rules, then you'll have an issue being the *client* if you block outgoing connections > 1024 hope that helps... Dave > > I suspect there is a way to further limit this port range. My > questions are: > > 1. Can I further limit the port range? > > 2. Is there any significant security advantage by doing so? > > 3. Are there any disadvantages from limiting the port range further? > > My particular system is just a small home system and will only have a > very small number (like 10 or less) of ftp users at any given time. > > Any insight or links to appropriate documents appreciated. > > Thanks, > > Drew > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message