Re: firewall

From: Martijn Lina (martijn@medialab.lostboys.nl)
Date: 10/11/01 

Date: Thu, 11 Oct 2001 17:52:08 +0200
From: Martijn Lina <martijn@medialab.lostboys.nl>
To: Peter Pentchev <roam@ringlet.net>

Once upon a 11-10-2001, Peter Pentchev hit keys in the following order:
>
> I believe that they are discussing the case of a server being NAT'd.
> In that case, the NAT machine has to allow for connections to ports > 1024
> on the server to allow PASV FTP to work.

Depends on which ftp daemon you're using. The default FreeBSD ftpd only opens a
smaller port range than just everything above 1024, according to the man page:

"In previous versions of ftpd, when a passive mode client requested a data
connection to the server, the server would use data ports in the range
1024..4999. Now, by default, the server will use data ports in the range
49152..65535."

It would be nice if the range could actually be specified through options. My
NAT just portmaps to ports below 49152, which gives me enough simultanious
connections through NAT. Would it be a good solution to redirect the passive
ftp port range directly to the box running ftpd (or to a ip alias in a jail, in
my home situation) with NAT and drop all connections above 49151 to other ip#s?

martijn

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: ADAM - The Server is not operational (Joe Kaplan, question for you)
    ... You can also increase the # of ephemeral ports. ... Microsoft Windows Server Division ... If different credentials are used under high load with ADSI, ... Unless there is some magic happening whereby connections are reused ...
    (microsoft.public.windows.server.active_directory)
  • Re: nat/basic firewall
    ... we have open ports on NAT ... 443 is opena dn forwarded to the exchange server 192.168.16.3 ... in RRAS, assuming that is how it was configured, unless you used ICS? ...
    (microsoft.public.windows.server.general)
  • Re: Whats a decent modem/router for tech savy user?
    ... It is not possible to route or deny traffic to specific ports based on the source IP address. ... But it wont route back inside the LAN - needs internal DNS server spoofing. ... Normally, this option should be Enabled, so that an Internet connection will be made automatically, whenever Internet-bound traffic is detected. ... Specifying a Default DMZ Server allows you to set up a computer or server that is available to anyone on the Internet for services that you haven't defined. ...
    (uk.telecom.broadband)
  • Re: Cannot connect to RWW from home PC
    ... That would be the address you need a DNS record for. ... You say "And in the router you need to forward to your external nic IP" ... Still can't telnet to any of your ports at your public ip address. ... Heres' the info for our server: ...
    (microsoft.public.windows.server.sbs)
  • RE: RRAS/NAT connected stations cant access websites
    ... the external DNS Server IP address provided by ISP to do the test. ... LAN Adapter successfully and using NSLookup from computers behind the NAT ... | perform NAT for a small network that is being used as a testing ... | connections and there it connects directly to the outside ...
    (microsoft.public.windows.server.networking)