From owner-freebsd-questions Fri Sep 6 12:55:34 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D72437B400 for ; Fri, 6 Sep 2002 12:55:30 -0700 (PDT) Received: from smtpzilla3.xs4all.nl (smtpzilla3.xs4all.nl [194.109.127.139]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C8C843E65 for ; Fri, 6 Sep 2002 12:55:29 -0700 (PDT) (envelope-from danny@dannysplace.net) Received: from llama (allxs.xs4all.nl [194.109.223.7]) by smtpzilla3.xs4all.nl (8.12.0/8.12.0) with SMTP id g86JtQ83035714; Fri, 6 Sep 2002 21:55:26 +0200 (CEST) Message-ID: <003801c255df$45e049b0$0164a8c0@llama> From: "Danny Carroll" To: "Drew Tomlinson" , "FreeBSD Questions" References: <002901c255b5$4b7cb220$6e2a6ba5@TAGALONG> Subject: Re: How To Set Passive FTP Port Range? Date: Fri, 6 Sep 2002 21:54:54 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I think it has something to do with these sysctl vars... net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.hilast: 65535 As for the FTP protocol itself, here are the basics: Client:(any port) connects to Server:21 This is the control connection. When a data connection is made (ls, get et al) then: In Active FTP, the client tells the server what port to connect to it on. server:20 -> client:(any port) In Passive FTP, the server tells the client which port to connect on. client:(20 or any) -> server:(any) In passive, the server never establishes a connection. Passive gets through firewalls because most firewalls will allow inside -> outside connections. Active (traditional) ftp is harder because the firewall at the client end does not know what the port will be... But a good firewall will be able to discover the port. If you are using natd and ipfw then look at the punch_fw setting. It basically watches FTP data and opens up holes where needed. Much tighter than opening up a whole lot. Or, force your clients to be active (server establishing connection)... But this way you will always have problems with corporate firewalls. -D > I'm using the ftp daemon that ships with FBSD. From the man page, I > see that it uses ports 49152-65535 by default for passive ftp. So to > allow passive ftp, I have open this port range on my firewall. > > I suspect there is a way to further limit this port range. My > questions are: > > 1. Can I further limit the port range? > > 2. Is there any significant security advantage by doing so? > > 3. Are there any disadvantages from limiting the port range further? > > My particular system is just a small home system and will only have a > very small number (like 10 or less) of ftp users at any given time. > > Any insight or links to appropriate documents appreciated. > > Thanks, > > Drew > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message