Date: Fri, 6 Sep 2002 08:59:49 -0700 (PDT) From: Dave Young <dave@boldfish.com> To: Drew Tomlinson <drew@mykitchentable.net> Cc: FreeBSD Questions <questions@FreeBSD.ORG> Subject: Re: How To Set Passive FTP Port Range? Message-ID: <Pine.LNX.4.44.0209060857120.22409-100000@hat-trick.boldfish.com> In-Reply-To: <Pine.LNX.4.44.0209060757120.22268-100000@hat-trick.boldfish.com>
next in thread | previous in thread | raw e-mail | index | archive | help
ahh, I see, the part I'm missing is passive opens up a < 1024 for the client: The result of this is that the server then opens a random unprivileged port (P > 1024) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data. So, and in my case, using a firewall w/ connection tracking would allow you to keep the high ports closed, as the firewall would open it up just for that client just for that session. Anyone? is that correct? On Fri, 6 Sep 2002, Dave Young wrote: > On Fri, 6 Sep 2002, Drew Tomlinson wrote: > > > I'm using the ftp daemon that ships with FBSD. From the man page, I > > see that it uses ports 49152-65535 by default for passive ftp. So to > > allow passive ftp, I have open this port range on my firewall. > > for outgoing ftp, yes. If you're setting up a ftp server on your home > machine, you just need to open tcp 21. Incoming ftp requesting come in on > that port. > > ftp client: uses a high port > 1024 to connecto to the server (low port, > 21) > > active ftp: ftp server tries to come back to the client and connect (tcp > 20 I think) if you use a stateless firewall, it's hard to deal with > > > passive ftp is a client side work-around when the *client* doesn't have a > stateful firewall, since the server can't make a connection back to > the client (ftp is a strange protocol) therefore the PORT and DATA > commands come through on the initial >1024 to 21 connection. > > > in a nutshell, I think you jsut need to open 21 to your machine. If you > have outgoing packet firewall rules, then you'll have an issue being the > *client* if you block outgoing connections > 1024 > > > > hope that helps... > > > > Dave > > > > > > > > I suspect > there is a way to further limit this port range. My > questions are: > > > > 1. Can I further limit the port range? > > > > 2. Is there any significant security advantage by doing so? > > > > 3. Are there any disadvantages from limiting the port range further? > > > > My particular system is just a small home system and will only have a > > very small number (like 10 or less) of ftp users at any given time. > > > > Any insight or links to appropriate documents appreciated. > > > > Thanks, > > > > Drew > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.44.0209060857120.22409-100000>