[Fedora] Re: Blocking vsftpd
Jeff Vian
jvian10 at charter.net
Tue Feb 8 02:07:00 UTC 2005
On Mon, 2005-02-07 at 17:45 -0700, Ashley M. Kirchner wrote:
> Paul Howarth wrote:
>
> > Change 127.0.0.1 to your LAN IP address if you want it to accept
> > connections from your LAN only. You could connect to your own computer
> > this way but you'd have to use the LAN address rather than "localhost"
> > when connecting.
> >
> > If you want to allow connections from localhost *and* your LAN then it
> > gets a bit more complicated, e.g. using iptables to restrict incoming
> > connections, or running 2 vsftpd instances, one listening on the
> > localhost address and one on your LAN IP address.
>
> Well, let's see here. It is a public server which answers to www
> calls (it has a public IP as well.) One of the sites connects locally
> to an FTP applet for file uploads (which basically opens a connection to
> the local vsftpd daemon.) So, setting it to listen to localhost would
> work ... however, there will be other machines on our network (not
> necessarily on the same LAN) that will connect to this server. We have
> three subnets on our (public) network so I need to be able to cross from
> one subnet, through our router, back into the other subnet and to vsftpd
> running on this machine.
>
> So, as far as the www site is concerned, yes i can set it to listen
> to localhost, however that will prevent any of our other machines to
> connect to it. And setting it to its LAN ip will prevent machines on
> the other subnets from reaching it. At least, I think it will. I'm
> stuck I think.
>
> --A
>
>
man vsftp.conf, man vsftp, and iptables should make it very possible.
with iptables you can prevent any ip address except the ones authorized
from connecting to a specific port.
Answering to public IP calls _usually_ implies that the machine has a
routeable public IP. If so, then you are not dealing with NAT (at least
in some respects) and that simplifies it.
More information about the fedora-list
mailing list