View Single Post
  #5   (View Single Post)  
Old 22nd August 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

ftp uses 2 separated connections
  1. A command channel, where the ftp client uses port 21 as the destination port.

  2. A data channel, where in passive mode the ftp client uses a destination port >1023 as suggested by the ftp server.
    In active mode the server initiates this channel using source port 20, which usually is a not liked and thus not allowed by most system administrators.

Since my house move I don't have access to a FBSD box, but in OpenBSD the ports suggested by the ftp server for passive ftp channels is set by the following sysctls in blue
Code:
net.inet.ip.portfirst=1024
net.inet.ip.portlast=49151
net.inet.ip.porthifirst=49152
net.inet.ip.porthilast=65535
Re: ftp-proxy

ftp-proxy needs to run on a dedicated pf firewall with 2 NICs. It can neither run on a ftp client box, nor on a ftp server box.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote