DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 26th May 2009
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Default net.inet.ip.portrange.*

Hello, i need to apply the following to get passive ftp working:

Edit The Ephemeral Port Range
Code:
net.inet.ip.portrange.first: 49152
net.inet.ip.portrange.last: 65535
How is this best achieved?

At first i thought i would edit pf.conf but having done a google it comes under 'Tuning kernel limits' so would need to edit /etc/sysctl.conf

many thanks
Reply With Quote
  #2   (View Single Post)  
Old 26th May 2009
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Default

Hello, ok i edited /etc/sysctl.conf and added

Code:
net.inet.ip.portrange.first=49152
net.inet.ip.portrange.last=5535
I have not reboot yet and output of sysctl shows

Code:
sysctl -a | fgrep net.inet.ip.portrange
net.inet.ip.portrange.randomtime: 45
net.inet.ip.portrange.randomcps: 10
net.inet.ip.portrange.randomized: 1
net.inet.ip.portrange.reservedlow: 0
net.inet.ip.portrange.reservedhigh: 1023
net.inet.ip.portrange.hilast: 65535
net.inet.ip.portrange.hifirst: 49152
net.inet.ip.portrange.last: 65535
net.inet.ip.portrange.first: 49152
net.inet.ip.portrange.lowlast: 600
net.inet.ip.portrange.lowfirst: 1023
Reply With Quote
  #3   (View Single Post)  
Old 26th May 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

I think you're still on the default settings ... so no need to change, really. These are my unaltered values anyway:
Code:
net.inet.ip.portrange.last: 65535
net.inet.ip.portrange.first: 49152
By the way: you don't have to reboot FreeBSD for just about anything. Applying a new sysctl.conf is done like this
Code:
/etc/rc.d/sysctl restart
Anyway: like I said: the values you're using are already the defaults.
Reply With Quote
  #4   (View Single Post)  
Old 26th May 2009
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Default

Thanks for reply, i added the lines in /etc/sysctl.conf just to make sure

Code:
net.inet.ip.portrange.first=49152
net.inet.ip.portrange.last=65535


restarted sysctl and got same output

Code:
sysctl -a | fgrep net.inet.ip.portrange
net.inet.ip.portrange.randomtime: 45
net.inet.ip.portrange.randomcps: 10
net.inet.ip.portrange.randomized: 1
net.inet.ip.portrange.reservedlow: 0
net.inet.ip.portrange.reservedhigh: 1023
net.inet.ip.portrange.hilast: 65535
net.inet.ip.portrange.hifirst: 49152
net.inet.ip.portrange.last: 5535
net.inet.ip.portrange.first: 49152
net.inet.ip.portrange.lowlast: 600
net.inet.ip.portrange.lowfirst: 1023
still problems with ftp, do i need to add these to pf.conf?

cheers
Reply With Quote
  #5   (View Single Post)  
Old 26th May 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

Ftp client or FTP server? In other words: incoming or outgoing FTP requests?
Reply With Quote
  #6   (View Single Post)  
Old 26th May 2009
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Default

Quote:
Originally Posted by DutchDaemon View Post
Ftp client or FTP server? In other words: incoming or outgoing FTP requests?
using proftpd server and problem occurs with many clients, gftp, fireftp etc.

I have managed to connect using passive OFF mode but other are having issues, i can't connect in passive mode at all.

proftpd logs show connection is made but then dropped.

here are logs from gftp using passive mode connection.

Code:
Looking up web.domain.net
Trying web.domain.net:21
Connected to web.domain.net:21
220 ProFTPD 1.3.2rc3 Server (85.234.151.16) [85.234.151.16]
USER user1

331 Password required for user1
PASS xxxx
230 User user1 logged in
SYST

215 UNIX Type: L8
TYPE I

200 Type set to I
PWD

257 "/" is the current directory
Loading directory listing / from server (LC_TIME=en_GB.UTF-8)
PASV

227 Entering Passive Mode (85,234,151,16,240,147).
Cannot create a data connection: Connection refused
Disconnecting from site web.domain.net
cheers
Reply With Quote
  #7   (View Single Post)  
Old 26th May 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

You can try

Code:
pass in quick on $ext_if inet proto tcp from any to $ext_if port 49162:65535 flags S/SA keep state
If at all possible I would limit the passive portrange used by ProFTPd as much as possible to cut down on the number of open ports allowed direct access from the outside. Maybe opening 10-20 ports is enough. Adjust pf.conf to that smaller port range. Do not adjust the sysctl settings to a lower port range, because they apply to all programs opening high ports, and you may run out of them.
Reply With Quote
  #8   (View Single Post)  
Old 26th May 2009
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Default

Quote:
Originally Posted by DutchDaemon View Post
You can try

Code:
pass in quick on $ext_if inet proto tcp from any to $ext_if port 49162:65535 flags S/SA keep state
End you mean put this in pf.conf and if so to reduce ports i would just adjust port number to achieve this?

many thanks
Reply With Quote
  #9   (View Single Post)  
Old 26th May 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

Yes on both counts. Stay inside the stated port range (49162:65535), but choose a smaller section of a few dozen ports or so (I don't know how many ftp sessions you plan to serve simultaneously). You can probably narrow things down a little further by only allowing incoming connections to ports 'owned' by the ftp user.

Something like:
Code:
pass in quick on $ext_if inet proto tcp all user ftp_user keep state
might work. Then you'd do this without opening holes in pf.conf. Replace 'ftp_user' with the user proftpd actually runs as.

P.S. I'm doing this from memory, so experiment a little, and consult 'man 5 pf.conf' for exact syntax.
P.P.S: Oh, and this is assuming proftpd runs on the same system as pf.conf!
Reply With Quote
Old 27th May 2009
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Default

DutchDaemon thanks for replies, i added

Code:
pass in quick on $ext_if inet proto tcp from any to $ext_if port 49162:65535 flags S/SA keep state
and this worked fine, i may reduce port numbers and see how that goes.

cheers
Reply With Quote
Old 27th May 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

Good, but do look into the 'ports owned by ftp_user' option, because it will narrow down the number of exposed ports to a minimum.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:08 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick