[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Any danger from these ports?



On Thu, 2005-13-01 at 01:03 +0100, Alexander Dalloz wrote:
> Am Mi, den 12.01.2005 schrieb Charles R. Anderson um 17:03:
> 
> > Passive FTP listens on random local ephemeral ports for data
> > connections set up by the 21/tcp control stream.  If you are not using
> > a stateful firewall with a FTP helper, then you need to allow incoming
> > TCP connections to whatever range your FTP server uses for passive FTP
> > (defaults to the entire local port range).  This is why I have always
> > set up my FTP server similar to this (older box using ipchains):
> > 
> > /etc/sysctl.conf:
> > net.ipv4.ip_local_port_range = 60000 65535
> > 
> > /etc/vsftpd.conf:
> > pasv_min_port=59000
> > pasv_max_port=59999
> > 
> > /etc/sysconfig/ipchains:
> > -A input -i eth0 -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 21:21 -p 6 -j ACCEPT
> > -A input -i eth0 -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 0:58999 -p 6 -l -j DENY
> > -A input -i eth0 -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 59000:59999 -p 6 -j ACCEPT
> > -A input -i eth0 -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 60000:65535 -p 6 -y -l -j DENY
> 
> It is much better to use ip_conntrack_ftp iptables helper module and the
> stateful capabilities of iptables (ESTABLISHED,RELATED) rather than to
> "blindly" open a range of high ports. Why using ipchains, which is not
> stateful, when having iptables?
> Easily be done with the default Fedora Core iptables rules by adding
> ip_conntrack_ftp into IPTABLES_MODULES="" in
> /etc/sysconfig/iptables-config.
> 
> Alexander
> 

Linux has had modules for handling FTP though NAT since at least the 
1.3 kernel. The only reason to use passive FTP has been when dealing 
with firewalls that can not handle connection tracking for FTP.

I will agree that iptables has more functionality than ipchains and 
if possible should be used for current implementations.

> 
> -- 
> fedora-test-list mailing list
> fedora-test-list redhat com
> To unsubscribe: 
> http://www.redhat.com/mailman/listinfo/fedora-test-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]