New IPFW Setup.
asym at rfnj.org
Wed Dec 29 04:32:20 PST 2004
At 07:02 12/29/2004, Grant Peel wrote:
>00170 allow tcp from any to any 1024-65534 in setup # ftp ports. Seems
>to negate alot of the firewall ???
>Of special concern to me is line 170 ... added to allow ftp. Any ideas here?
You have two options here if you really need FTP, more otherwise.
1. Configure your FTP server to only listen on a limited port range such as
5000-5100. Keep in mind you don't need a lot of ports -- in fact you only
need enough to cover the maximum number of connections you allow
simultaneously from a single host. Clients with different IP addresses can
connect to the same port, or at least, they should be able to in a
reasonable ftpd. I haven't tested any ftpds to see if this is the case, if
it isn't in your ftpd of choice, then you want enough ports for the total
number of simultaneous connections you allow.
2. Use natd which supports ipfw "punch through." This will punch holes in
your ipfw rules, adding things like "allow tcp from a.b.c.d to w.x.y.z
port" for the duration of the ftp data session, and remove them when the
connection dies. Read the natd page for more information on this.
3. Force your ftpd to use passive mode. This will cause it to not work for
clients behind firewalls that aren't ftp protocol aware.
#1 is the generally implemented option and is fairly secure.
If you don't really need ftp, and I hope you don't, there are many other
ways to share files on a machine that are more firewall friendly.
1. http GET for downloads, http POST for uploads, htaccess for
user/passwords, etc. Apache can pretty much replace any ftp server without
too much work involved, though there is a limit to how much data can be posted.
2. scp/sftp. These use ssh to copy files. They are significantly slower
than ftp due to the encryption overhead, but they only require the ssh port
to be open.
3. samba. Only 1-2 ports required, no passwd entries needed as with
scp/sftp, and no file size limits as with http. Any windows client will be
able to natively access the machine, provided the client ports are not
blocked, which many ISPs do these days. Other systems can use samba,
4. cvs. Better than samba, though it'll take a while to setup, there's no
reason you can't use cvs as a fileserver. Only requires one port, has
access controls built in, and the versioning/rollback features may be
useful to you depending on your needs.
5. nfs and a whole host of other options that I don't have the time or
energy to get into.
If you insist on using ftp itself, do yourself a favor and use something
like proftpd unless you like screwing around with pam and/or having
ftp-only users in your passwd file, with the associated folderol that goes
along with this. I mention proftpd because it's what I use when I need a
for-real ftp server. It's in ports.
More information about the freebsd-ipfw