Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 6 Sep 2002 08:06:04 -0700 (PDT)
From:      Dave Young <dave@boldfish.com>
To:        Drew Tomlinson <drew@mykitchentable.net>
Cc:        FreeBSD Questions <questions@FreeBSD.ORG>
Subject:   Re: How To Set Passive FTP Port Range?
Message-ID:  <Pine.LNX.4.44.0209060757120.22268-100000@hat-trick.boldfish.com>
In-Reply-To: <002901c255b5$4b7cb220$6e2a6ba5@TAGALONG>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, 6 Sep 2002, Drew Tomlinson wrote:

> I'm using the ftp daemon that ships with FBSD.  From the man page, I
> see that it uses ports 49152-65535 by default for passive ftp.  So to
> allow passive ftp, I have open this port range on my firewall.

for outgoing ftp, yes. If you're setting up a ftp server on your home 
machine, you just need to open tcp 21. Incoming ftp requesting come in on 
that port. 

ftp client: uses a high port > 1024 to connecto to the server (low port, 
21)

active ftp: ftp server tries to come back to the client and connect (tcp 
20 I think) if you use a stateless firewall, it's hard to deal with


passive ftp is a client side work-around when the *client* doesn't have a 
stateful firewall, since the server can't make a connection back to 
the client (ftp is a strange protocol) therefore the PORT and DATA 
commands come through on the initial >1024 to 21 connection.


in a nutshell, I think you jsut need to open 21 to your machine. If you 
have outgoing packet firewall rules, then you'll have an issue being the 
*client* if you block outgoing connections > 1024



hope that helps...



Dave





 > > I suspect 
there is a way to further limit this port range.  My > questions are:
> 
> 1. Can I further limit the port range?
> 
> 2. Is there any significant security advantage by doing so?
> 
> 3. Are there any disadvantages from limiting the port range further?
> 
> My particular system is just a small home system and will only have a
> very small number (like 10 or less) of ftp users at any given time.
> 
> Any insight or links to appropriate documents appreciated.
> 
> Thanks,
> 
> Drew
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.44.0209060757120.22268-100000>