Any danger from these ports?

Guy Fraser guy at incentre.net
Thu Jan 13 15:34:01 UTC 2005


On Thu, 2005-13-01 at 01:03 +0100, Alexander Dalloz wrote:
> Am Mi, den 12.01.2005 schrieb Charles R. Anderson um 17:03:
> 
> > Passive FTP listens on random local ephemeral ports for data
> > connections set up by the 21/tcp control stream.  If you are not using
> > a stateful firewall with a FTP helper, then you need to allow incoming
> > TCP connections to whatever range your FTP server uses for passive FTP
> > (defaults to the entire local port range).  This is why I have always
> > set up my FTP server similar to this (older box using ipchains):
> > 
> > /etc/sysctl.conf:
> > net.ipv4.ip_local_port_range = 60000 65535
> > 
> > /etc/vsftpd.conf:
> > pasv_min_port=59000
> > pasv_max_port=59999
> > 
> > /etc/sysconfig/ipchains:
> > -A input -i eth0 -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 21:21 -p 6 -j ACCEPT
> > -A input -i eth0 -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 0:58999 -p 6 -l -j DENY
> > -A input -i eth0 -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 59000:59999 -p 6 -j ACCEPT
> > -A input -i eth0 -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 60000:65535 -p 6 -y -l -j DENY
> 
> It is much better to use ip_conntrack_ftp iptables helper module and the
> stateful capabilities of iptables (ESTABLISHED,RELATED) rather than to
> "blindly" open a range of high ports. Why using ipchains, which is not
> stateful, when having iptables?
> Easily be done with the default Fedora Core iptables rules by adding
> ip_conntrack_ftp into IPTABLES_MODULES="" in
> /etc/sysconfig/iptables-config.
> 
> Alexander
> 

Linux has had modules for handling FTP though NAT since at least the 
1.3 kernel. The only reason to use passive FTP has been when dealing 
with firewalls that can not handle connection tracking for FTP.

I will agree that iptables has more functionality than ipchains and 
if possible should be used for current implementations.

> 
> -- 
> fedora-test-list mailing list
> fedora-test-list at redhat.com
> To unsubscribe: 
> http://www.redhat.com/mailman/listinfo/fedora-test-list




More information about the fedora-test-list mailing list