----- Original Message ----- From: "Grant Cooper" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, October 11, 2002 5:10 PM Subject: Re: ipfw rules
> I am having the same problem. I now just allow ftp from certain IP > address's. But doesn't the second rule, > > # /sbin/upfw 10001 allow tco from any 1024-65535 to any 1024-65535 setup > keep-state > > kind of beat's the purpose of a firewall. That's a lot of open ports. I > thought IPFW had a way to remember the ports opened by ftp and creates rules > dynamically based on the ports opened buy ftp. You're thinking of the "punch firewall" option in natd. If you're using the ftpd that comes with FBSD, you will see in the man page that the default port range is 49152-65535 so as I understand it, you do not need to open ports 1024-49151 as they will not be used. I am also told one can further limit the port range used by the default ftpd by modifying these sysctl vars: net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.hilast: 65535 However I have not actually tried this. I don't know if there's any significant security advantage in limiting the port range further as I have not seen any discussion on this. But I would suspect that it certainly wouldn't hurt to limit the port range to the number of expected concurrent ftp sessions, thus closing off more ports. Anyone else reading this, please correct me if I am mistaken. Thanks, Drew > ----- Original Message ----- > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, October 11, 2002 3:33 PM > Subject: re: ipfw rules > > > > i was finally able to get ftp (using passive ftp) to work through our > > firewall. these are the rules I had to add: > > > > # /sbin/ipfw 10000 allow tcp from any 1024-65535 to any 21 out setup > > keep-state > > # /sbin/upfw 10001 allow tco from any 1024-65535 to any 1024-65535 setup > > keep-state > > > > the first rule (10000) allows our server to connect via any high port to > any > > server out there on port 21(ftp). this is to initiate the 'control > > connection'. > > > > the second rule (10001) allows anyone to connect via high ports to and > from > > our server. this is for the data transfer part. > > > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > > with "unsubscribe freebsd-questions" in the body of the message > > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
