[Fedora] Re: Blocking vsftpd

[Jeff Vian]

On Mon, 2005-02-07 at 17:45 -0700, Ashley M. Kirchner wrote:
> Paul Howarth wrote:
> 
> > Change 127.0.0.1 to your LAN IP address if you want it to accept 
> > connections from your LAN only. You could connect to your own computer 
> > this way but you'd have to use the LAN address rather than "localhost" 
> > when connecting.
> >
> > If you want to allow connections from localhost *and* your LAN then it 
> > gets a bit more complicated, e.g. using iptables to restrict incoming 
> > connections, or running 2 vsftpd instances, one listening on the 
> > localhost address and one on your LAN IP address.
> 
>     Well, let's see here.  It is a public server which answers to www 
> calls (it has a public IP as well.)  One of the sites connects locally 
> to an FTP applet for file uploads (which basically opens a connection to 
> the local vsftpd daemon.)  So, setting it to listen to localhost would 
> work ... however, there will be other machines on our network (not 
> necessarily on the same LAN) that will connect to this server.  We have 
> three subnets on our (public) network so I need to be able to cross from 
> one subnet, through our router, back into the other subnet and to vsftpd 
> running on this machine.
> 
>     So, as far as the www site is concerned, yes i can set it to listen 
> to localhost, however that will prevent any of our other machines to 
> connect to it.  And setting it to its LAN ip will prevent machines on 
> the other subnets from reaching it.  At least, I think it will.  I'm 
> stuck I think.
> 
>     --A
> 
> 

man vsftp.conf,  man vsftp, and iptables should make it very possible.

with iptables you can prevent any ip address except the ones authorized
from connecting to a specific port.

Answering to public IP calls _usually_ implies that the machine has a
routeable public IP.  If so, then you are not dealing with NAT (at least
in some respects) and that simplifies it.