On Tuesday 28 March 2006 14.09, Michael Schmidt wrote: > Hello, > > did anyone setup helpful tricks in pf concerning passive ports for ftp? > > Why I am asking has the following reason: > In general you have to open ports for incoming passive ftp requests on a > wide range, but that4s a point I don4t like as I want to make life as > hard as possible for intruders/hackers which may try "ah, let4s see > what4s all open on that machine". > > So what I want to setup is pf and the ftp-daemon in that way that the > ftp-daemon offers only a very small range of passive ports (or perhaps > only one single passive port?) and that pf opens only the same small > range of ports (or the same single port). > As it would be the best to not reinvent the wheel I would like to know: > Did anyone such a setup and could share ideas? > > Have a nice day > Michael
[EMAIL PROTECTED]:~#grep porthilast /etc/sysctl.conf net.inet.ip.porthilast=49191 # Gives a port range from 49152 to 49191 And then handle the above range for passive ports that are used by the ftpd. /Per-Olov -- GPG keyID: 4DB283CE GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE