New IPFW Setup.

asym asym at
Wed Dec 29 04:32:20 PST 2004

At 07:02 12/29/2004, Grant Peel wrote:


>00170 allow tcp from any to any 1024-65534 in setup     # ftp ports. Seems 
>to negate alot of the firewall ???
>Of special concern to me is line 170 ... added to allow ftp. Any ideas here?

You have two options here if you really need FTP, more otherwise.

1. Configure your FTP server to only listen on a limited port range such as 
5000-5100.  Keep in mind you don't need a lot of ports -- in fact you only 
need enough to cover the maximum number of connections you allow 
simultaneously from a single host.  Clients with different IP addresses can 
connect to the same port, or at least, they should be able to in a 
reasonable ftpd.  I haven't tested any ftpds to see if this is the case, if 
it isn't in your ftpd of choice, then you want enough ports for the total 
number of simultaneous connections you allow.

2. Use natd which supports ipfw "punch through."  This will punch holes in 
your ipfw rules, adding things like "allow tcp from a.b.c.d to w.x.y.z 
port" for the duration of the ftp data session, and remove them when the 
connection dies.  Read the natd page for more information on this.

3. Force your ftpd to use passive mode.  This will cause it to not work for 
clients behind firewalls that aren't ftp protocol aware.

#1 is the generally implemented option and is fairly secure.

If you don't really need ftp, and I hope you don't, there are many other 
ways to share files on a machine that are more firewall friendly.

1. http GET for downloads, http POST for uploads, htaccess for 
user/passwords, etc.  Apache can pretty much replace any ftp server without 
too much work involved, though there is a limit to how much data can be posted.

2. scp/sftp.  These use ssh to copy files.  They are significantly slower 
than ftp due to the encryption overhead, but they only require the ssh port 
to be open.

3. samba.  Only 1-2 ports required, no passwd entries needed as with 
scp/sftp, and no file size limits as with http.  Any windows client will be 
able to natively access the machine, provided the client ports are not 
blocked, which many ISPs do these days.  Other systems can use samba, 
smbfs, etc.

4. cvs.  Better than samba, though it'll take a while to setup, there's no 
reason you can't use cvs as a fileserver.  Only requires one port, has 
access controls built in, and the versioning/rollback features may be 
useful to you depending on your needs.

5. nfs and a whole host of other options that I don't have the time or 
energy to get into.

If you insist on using ftp itself, do yourself a favor and use something 
like proftpd unless you like screwing around with pam and/or having 
ftp-only users in your passwd file, with the associated folderol that goes 
along with this.  I mention proftpd because it's what I use when I need a 
for-real ftp server.  It's in ports. 

More information about the freebsd-ipfw mailing list