Any danger from these ports?
Kyrre Ness Sjobak
kyrre at solution-forge.net
Sat Jan 15 21:12:22 UTC 2005
Bug created.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145242
tor, 13.01.2005 kl. 01.03 skrev Alexander Dalloz:
> Am Mi, den 12.01.2005 schrieb Charles R. Anderson um 17:03:
>
> > Passive FTP listens on random local ephemeral ports for data
> > connections set up by the 21/tcp control stream. If you are not using
> > a stateful firewall with a FTP helper, then you need to allow incoming
> > TCP connections to whatever range your FTP server uses for passive FTP
> > (defaults to the entire local port range). This is why I have always
> > set up my FTP server similar to this (older box using ipchains):
> >
> > /etc/sysctl.conf:
> > net.ipv4.ip_local_port_range = 60000 65535
> >
> > /etc/vsftpd.conf:
> > pasv_min_port=59000
> > pasv_max_port=59999
> >
> > /etc/sysconfig/ipchains:
> > -A input -i eth0 -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 21:21 -p 6 -j ACCEPT
> > -A input -i eth0 -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 0:58999 -p 6 -l -j DENY
> > -A input -i eth0 -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 59000:59999 -p 6 -j ACCEPT
> > -A input -i eth0 -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 60000:65535 -p 6 -y -l -j DENY
>
> It is much better to use ip_conntrack_ftp iptables helper module and the
> stateful capabilities of iptables (ESTABLISHED,RELATED) rather than to
> "blindly" open a range of high ports. Why using ipchains, which is not
> stateful, when having iptables?
> Easily be done with the default Fedora Core iptables rules by adding
> ip_conntrack_ftp into IPTABLES_MODULES="" in
> /etc/sysconfig/iptables-config.
>
> Alexander
>
More information about the fedora-test-list
mailing list