passive FTP ports

Lem0nHead

Verified User
Joined
Nov 28, 2004
Messages
265
hello

any reasons why I shouldn't add something like that
PassivePorts 60000 61000
on proftpd.conf and allow just this ports on the firewall
so the firewall can be more restrict?
 
I think the perfect solution would be to make proftpd call ipfw allowing the connection when it opens a passive port and again when it closes it
but that would require a hack on proftpd
 
I'm not an expert in that area, but I don't think that would work, since you have to allow incomming connections for ftp on some port regardless. You might be able to decrease the number of ports open at the same time if it did work, but I don't think it would be worth the trouble.
 
the idea is: if you enable connections on ports that are not being used, a daemon can be run on them
so if proftpd would allow the connection just when if opens the port, i think it would be fine
i don't know how APF do it on my linux server (using iptables), but it gets to allow passive FTP without allowing all other connections...
i read about IPFW, but didn't get to do it :(
maybe there's a way...
 
Lem0nHead,

Are you using linux?

Are you using APF?

APF will open up the requested port for passive FTP only after the connection is made and authenticated on port 21, so there's really no benefit in restricting passive FTP to a specific range.

That capability was built into the ProFTPd daemon before iptables, when you couldn't do that.

Jeff
 
jlasman said:
Lem0nHead,

Are you using linux?

Are you using APF?

APF will open up the requested port for passive FTP only after the connection is made and authenticated on port 21, so there's really no benefit in restricting passive FTP to a specific range.

That capability was built into the ProFTPd daemon before iptables, when you couldn't do that.

Jeff

no
I'm using FreeBSD with ipfw
I just mentioned Linux with APF (iptables) to show that it's possible to don't need to allow all ports or restrict FTP passive ports range
how does APF knows when it was authenticated on port 21? ProFTPd communicates with it? may it communicated with ipfw too?

thanks
 
Sorry, but I don't really know the down and dirty details.

And if I did, it wouldn't help, because I don't know a thing about ipfw.

Any FreeBSD experts care to try an answer?

If you tell me which version of FreeBSD I'll move the thread to a FreeBSD forum where it might attract more knowledgeable responses.

Jeff
 
jlasman said:
Sorry, but I don't really know the down and dirty details.

And if I did, it wouldn't help, because I don't know a thing about ipfw.

Any FreeBSD experts care to try an answer?

If you tell me which version of FreeBSD I'll move the thread to a FreeBSD forum where it might attract more knowledgeable responses.

Jeff

i'm using freebsd 4.x, but I belive it's the same for any version >4 (when ipfw became stateful)
 
Statefull!

That's the word I couldn't think of.

I still have to move the thread to one of the FreeBSD forums. 4.x is as good as any :) .

Jeff
 
Back
Top