david,
while i'm sure your rule will work, opening up >15,000 ports
to make ftp function is not the correct way to go about this
issue. instead, install and configure an ftpd which allows
you to specify the ports which are advertised by the server
to the client. wuftpd and proftpd both do this very nicely.
you should specify the smallest range possible, and ensure
that no other applications are already bound to those ports.
even a hundred ports will accomodate a large number of ftp
users...
e.g. with ipf.conf rules as such
# allow ftp, keep state
pass in log first quick on iprb0 proto tcp from any \
to myIP/32 port = 21 flags S keep frags keep state
# allow ftp passive mode
# (see /etc/ftpaccess for wu-ftpd port range declaration)
# (see /usr/local/etc/proftpd.conf for proftpd port range declaration)
pass in log first quick on iprb0 proto tcp from any \
to myIP/32 port 24000 >< 24100 flags S keep frags keep state
so, when using wuftpd
(hostA)$ grep passive /etc/ftpaccess
passive ports 0.0.0.0/0 24001 24099
similarly, when using proftpd,
(hostB)$ grep PassivePorts /usr/local/etc/proftpd.conf
PassivePorts 24001 24099
jim
David S. wrote:
With passive mode FTP, the client attempts to open a second TCP
connection to the server to function as the data channel. If
you want to support passive FTP, then you'll have to configure
your packet filter to allow those connections. The man page for
FreeBSD's 'ftpd' indicates that, by default, the server uses
the ports 49152..65535 for passive connections. So you'll need
a rule something like
pass in quick on <your interface> proto tcp from any to \
<your address> port 49151 >< 65536 flags S keep state
David S.
