Hole in IPChains FW for passive FTP

nobaloney

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,113
Location
California
Creating a hole in the IPChains firewall requires code similar to the following to allow passive FTP passive transit to work:
Code: 
# use part of the IANA registered ephemeral port range
PassivePorts 49152 49171
The code doesn't work when inserted in the main /etc/proftpd.conf file.

To get it to work I have to put it into /etc/proftpd.vhosts.conf.

Which I now do.

Where is the master for the proftpd.vhosts.conf file? I don't want to have to do it by hand every time we set up a new domain using a new dedicated IP#.

Any help will be greatly appreciated.

Thanks.

Jeff
 
Unfortunately, there isn't one right now. It's all parsed and hard coded.. I can look into creating a template for it for a future release.

John
 
Please, please, please.

This is a problem for our systems using ipchains.

Thanks.

Jeff
 
It's already in the versions system. The release might be pushed back to get everything done, but it will be in the next release :) (Along with the new skin ;))

John
 
It seems to work for me in the main proftpd.conf file. I remember it didn't work in the top part of the file but it works inside the <Global> area. eg:

<Global>

PassivePorts 49152 65534

DeferWelcome on
etc....
 
Last edited:
DirectAdmin Support said:
It's already in the versions system. The release might be pushed back to get everything done, but it will be in the next release :) (Along with the new skin ;))
Click to expand...
John, see the rest of the thread; perhaps just adding it inside of <global> in /proftpd.conf would be a better approach.

Vetrun recommends all the ports; I only use 20; that seems to be enough; we never have more than 20 people ftp-ing in at a time.

Jeff
 
vetrun said:
It seems to work for me in the main proftpd.conf file. I remember it didn't work in the top part of the file but it works inside the <Global> area.
Click to expand...
Thanks, vetrun.

Why didn't I think of that ? :)

Note that you're using the entire ephemeral range; I only open 20 ports; that seems to be enough for our servers.

Are you using ipchains? Do you really open all the ports? If so, how? Surely you don't have thousands of lines. Do you use a programmed script with a loop?

We just use /etc/sysconfig/ipchains on our RHL-based servers.

Jeff
 
I'm using FreeBSD so I use IPFW and open the ports with the following line:

add allow tcp from any to me 49152-65534 setup

There should be a way to open a range of ports using ipchains but I don't use it so I don't know.

vetrun
 
You must log in or register to reply here.
Back
Top