|
FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
net.inet.ip.portrange.*
Hello, i need to apply the following to get passive ftp working:
Edit The Ephemeral Port Range Code:
net.inet.ip.portrange.first: 49152 net.inet.ip.portrange.last: 65535 At first i thought i would edit pf.conf but having done a google it comes under 'Tuning kernel limits' so would need to edit /etc/sysctl.conf many thanks |
|
|||
Hello, ok i edited /etc/sysctl.conf and added
Code:
net.inet.ip.portrange.first=49152 net.inet.ip.portrange.last=5535 Code:
sysctl -a | fgrep net.inet.ip.portrange net.inet.ip.portrange.randomtime: 45 net.inet.ip.portrange.randomcps: 10 net.inet.ip.portrange.randomized: 1 net.inet.ip.portrange.reservedlow: 0 net.inet.ip.portrange.reservedhigh: 1023 net.inet.ip.portrange.hilast: 65535 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.last: 65535 net.inet.ip.portrange.first: 49152 net.inet.ip.portrange.lowlast: 600 net.inet.ip.portrange.lowfirst: 1023 |
|
|||
Thanks for reply, i added the lines in /etc/sysctl.conf just to make sure
Code:
net.inet.ip.portrange.first=49152 net.inet.ip.portrange.last=65535 restarted sysctl and got same output Code:
sysctl -a | fgrep net.inet.ip.portrange net.inet.ip.portrange.randomtime: 45 net.inet.ip.portrange.randomcps: 10 net.inet.ip.portrange.randomized: 1 net.inet.ip.portrange.reservedlow: 0 net.inet.ip.portrange.reservedhigh: 1023 net.inet.ip.portrange.hilast: 65535 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.last: 5535 net.inet.ip.portrange.first: 49152 net.inet.ip.portrange.lowlast: 600 net.inet.ip.portrange.lowfirst: 1023 cheers |
|
|||
Quote:
I have managed to connect using passive OFF mode but other are having issues, i can't connect in passive mode at all. proftpd logs show connection is made but then dropped. here are logs from gftp using passive mode connection. Code:
Looking up web.domain.net Trying web.domain.net:21 Connected to web.domain.net:21 220 ProFTPD 1.3.2rc3 Server (85.234.151.16) [85.234.151.16] USER user1 331 Password required for user1 PASS xxxx 230 User user1 logged in SYST 215 UNIX Type: L8 TYPE I 200 Type set to I PWD 257 "/" is the current directory Loading directory listing / from server (LC_TIME=en_GB.UTF-8) PASV 227 Entering Passive Mode (85,234,151,16,240,147). Cannot create a data connection: Connection refused Disconnecting from site web.domain.net |
|
||||
You can try
Code:
pass in quick on $ext_if inet proto tcp from any to $ext_if port 49162:65535 flags S/SA keep state |
|
|||
Quote:
many thanks |
|
||||
Yes on both counts. Stay inside the stated port range (49162:65535), but choose a smaller section of a few dozen ports or so (I don't know how many ftp sessions you plan to serve simultaneously). You can probably narrow things down a little further by only allowing incoming connections to ports 'owned' by the ftp user.
Something like: Code:
pass in quick on $ext_if inet proto tcp all user ftp_user keep state P.S. I'm doing this from memory, so experiment a little, and consult 'man 5 pf.conf' for exact syntax. P.P.S: Oh, and this is assuming proftpd runs on the same system as pf.conf! |
|
|||
DutchDaemon thanks for replies, i added
Code:
pass in quick on $ext_if inet proto tcp from any to $ext_if port 49162:65535 flags S/SA keep state cheers |
|
|