View Single Post
  #9   (View Single Post)  
Old 26th May 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

Yes on both counts. Stay inside the stated port range (49162:65535), but choose a smaller section of a few dozen ports or so (I don't know how many ftp sessions you plan to serve simultaneously). You can probably narrow things down a little further by only allowing incoming connections to ports 'owned' by the ftp user.

Something like:
Code:
pass in quick on $ext_if inet proto tcp all user ftp_user keep state
might work. Then you'd do this without opening holes in pf.conf. Replace 'ftp_user' with the user proftpd actually runs as.

P.S. I'm doing this from memory, so experiment a little, and consult 'man 5 pf.conf' for exact syntax.
P.P.S: Oh, and this is assuming proftpd runs on the same system as pf.conf!
Reply With Quote