Date: Fri, 6 Sep 2002 08:06:04 -0700 (PDT) From: Dave Young <dave@boldfish.com> To: Drew Tomlinson <drew@mykitchentable.net> Cc: FreeBSD Questions <questions@FreeBSD.ORG> Subject: Re: How To Set Passive FTP Port Range? Message-ID: <Pine.LNX.4.44.0209060757120.22268-100000@hat-trick.boldfish.com> In-Reply-To: <002901c255b5$4b7cb220$6e2a6ba5@TAGALONG>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 6 Sep 2002, Drew Tomlinson wrote: > I'm using the ftp daemon that ships with FBSD. From the man page, I > see that it uses ports 49152-65535 by default for passive ftp. So to > allow passive ftp, I have open this port range on my firewall. for outgoing ftp, yes. If you're setting up a ftp server on your home machine, you just need to open tcp 21. Incoming ftp requesting come in on that port. ftp client: uses a high port > 1024 to connecto to the server (low port, 21) active ftp: ftp server tries to come back to the client and connect (tcp 20 I think) if you use a stateless firewall, it's hard to deal with passive ftp is a client side work-around when the *client* doesn't have a stateful firewall, since the server can't make a connection back to the client (ftp is a strange protocol) therefore the PORT and DATA commands come through on the initial >1024 to 21 connection. in a nutshell, I think you jsut need to open 21 to your machine. If you have outgoing packet firewall rules, then you'll have an issue being the *client* if you block outgoing connections > 1024 hope that helps... Dave > > I suspect there is a way to further limit this port range. My > questions are: > > 1. Can I further limit the port range? > > 2. Is there any significant security advantage by doing so? > > 3. Are there any disadvantages from limiting the port range further? > > My particular system is just a small home system and will only have a > very small number (like 10 or less) of ftp users at any given time. > > Any insight or links to appropriate documents appreciated. > > Thanks, > > Drew > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.44.0209060757120.22268-100000>