Date: Fri, 6 Sep 2002 21:54:54 +0200 From: "Danny Carroll" <danny@dannysplace.net> To: "Drew Tomlinson" <drew@mykitchentable.net>, "FreeBSD Questions" <questions@freebsd.org> Subject: Re: How To Set Passive FTP Port Range? Message-ID: <003801c255df$45e049b0$0164a8c0@llama> References: <002901c255b5$4b7cb220$6e2a6ba5@TAGALONG>
next in thread | previous in thread | raw e-mail | index | archive | help
I think it has something to do with these sysctl vars... net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.hilast: 65535 As for the FTP protocol itself, here are the basics: Client:(any port) connects to Server:21 This is the control connection. When a data connection is made (ls, get et al) then: In Active FTP, the client tells the server what port to connect to it on. server:20 -> client:(any port) In Passive FTP, the server tells the client which port to connect on. client:(20 or any) -> server:(any) In passive, the server never establishes a connection. Passive gets through firewalls because most firewalls will allow inside -> outside connections. Active (traditional) ftp is harder because the firewall at the client end does not know what the port will be... But a good firewall will be able to discover the port. If you are using natd and ipfw then look at the punch_fw setting. It basically watches FTP data and opens up holes where needed. Much tighter than opening up a whole lot. Or, force your clients to be active (server establishing connection)... But this way you will always have problems with corporate firewalls. -D > I'm using the ftp daemon that ships with FBSD. From the man page, I > see that it uses ports 49152-65535 by default for passive ftp. So to > allow passive ftp, I have open this port range on my firewall. > > I suspect there is a way to further limit this port range. My > questions are: > > 1. Can I further limit the port range? > > 2. Is there any significant security advantage by doing so? > > 3. Are there any disadvantages from limiting the port range further? > > My particular system is just a small home system and will only have a > very small number (like 10 or less) of ftp users at any given time. > > Any insight or links to appropriate documents appreciated. > > Thanks, > > Drew > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003801c255df$45e049b0$0164a8c0>