Date: Thu, 31 Dec 1998 10:50:46 +0100 From: Rico Pajarola <pajarola@cybertime.ch> To: security@FreeBSD.ORG Message-ID: <3.0.32.19981231104939.0092f230@www.dlc.cybertime.ch>
next in thread | raw e-mail | index | archive | help
Dima wrote: > >I have this: > >ruleadd(`pass tcp from any 20 to any 30000-63000 via NETIF setup') >ruleadd(`pass tcp from any 20 to any 1024-4096 via NETIF setup') This effectively disables a considerable part of your firewall, as it allows anyone who can bind to port 20 to connect to any port in this range. If you don't care about stray 'servers' installed by your users (one of the top reasons for me to install a firewall), this won't be a problem. It may still fail if the server doesn't connect from port 20 (probably as seldom as a server who can't to passive mode) >Or alternatively, you can use passive ftp only. In this case you >won't need any of these. I've never run into a server (or client) who can't do passive mode. But many clients can't be configured to use passive mode as default (and it's very annoying when you connect and it hangs on the first ls) Rico Pajarola To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.32.19981231104939.0092f230>