passive FTP ports

Lem0nHead

Verified User
Joined
Nov 28, 2004
Messages
265
hello

any reasons why I shouldn't add something like that
PassivePorts 60000 61000
on proftpd.conf and allow just this ports on the firewall
so the firewall can be more restrict?
 

Lem0nHead

Verified User
Joined
Nov 28, 2004
Messages
265
I think the perfect solution would be to make proftpd call ipfw allowing the connection when it opens a passive port and again when it closes it
but that would require a hack on proftpd
 

jmstacey

Verified User
Joined
Feb 12, 2004
Messages
4,107
Location
Colorado
I'm not an expert in that area, but I don't think that would work, since you have to allow incomming connections for ftp on some port regardless. You might be able to decrease the number of ports open at the same time if it did work, but I don't think it would be worth the trouble.
 

Lem0nHead

Verified User
Joined
Nov 28, 2004
Messages
265
the idea is: if you enable connections on ports that are not being used, a daemon can be run on them
so if proftpd would allow the connection just when if opens the port, i think it would be fine
i don't know how APF do it on my linux server (using iptables), but it gets to allow passive FTP without allowing all other connections...
i read about IPFW, but didn't get to do it :(
maybe there's a way...
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Lem0nHead,

Are you using linux?

Are you using APF?

APF will open up the requested port for passive FTP only after the connection is made and authenticated on port 21, so there's really no benefit in restricting passive FTP to a specific range.

That capability was built into the ProFTPd daemon before iptables, when you couldn't do that.

Jeff
 

Lem0nHead

Verified User
Joined
Nov 28, 2004
Messages
265
jlasman said:
Lem0nHead,

Are you using linux?

Are you using APF?

APF will open up the requested port for passive FTP only after the connection is made and authenticated on port 21, so there's really no benefit in restricting passive FTP to a specific range.

That capability was built into the ProFTPd daemon before iptables, when you couldn't do that.

Jeff
no
I'm using FreeBSD with ipfw
I just mentioned Linux with APF (iptables) to show that it's possible to don't need to allow all ports or restrict FTP passive ports range
how does APF knows when it was authenticated on port 21? ProFTPd communicates with it? may it communicated with ipfw too?

thanks
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Sorry, but I don't really know the down and dirty details.

And if I did, it wouldn't help, because I don't know a thing about ipfw.

Any FreeBSD experts care to try an answer?

If you tell me which version of FreeBSD I'll move the thread to a FreeBSD forum where it might attract more knowledgeable responses.

Jeff
 

Lem0nHead

Verified User
Joined
Nov 28, 2004
Messages
265
jlasman said:
Sorry, but I don't really know the down and dirty details.

And if I did, it wouldn't help, because I don't know a thing about ipfw.

Any FreeBSD experts care to try an answer?

If you tell me which version of FreeBSD I'll move the thread to a FreeBSD forum where it might attract more knowledgeable responses.

Jeff
i'm using freebsd 4.x, but I belive it's the same for any version >4 (when ipfw became stateful)
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Statefull!

That's the word I couldn't think of.

I still have to move the thread to one of the FreeBSD forums. 4.x is as good as any :) .

Jeff
 
Top