Hi i'm running proftpd ftpserver on Linux. How do I set the packetfilter on my firewall in a secure manner but without problems with hosts on the internet not being able to connect?. In the docs on the firewall they say that the server always tries to put up a passive data connection so that can be a portrange on the serverside from 49152 - 65534. This is quite a big range to allow from all hosts on the internet. I however can configure that an acknowledge bit needs to be in incoming packets. But i don't really know how those connections are set up. Whether or not it's the hosts or the server that starts with the passive connection. Thanks.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
How to configure the packetfilter?
- Thread starter Trooty
- Start date
John Lewis
Programmer
For starters, look at the documentation section at Get familiar with iptables.
Couple of points to pay particular attention to . . .
Enable connection tracking. You can either load as a module, or compile into the kernel. Loading the module doesn't require recompiling the kernel, but it is generally accepted that compiling the kernel is slightly more secure. You will also need to add support for the FTP module.
You will only need to open ports 20 & 21. Anyone connecting to your FTP server will make the initial connection on these ports, the other ports are negotiated and opened after the fact and connection tracking will open these dynamically.
After you have looked at the docs, you may want to post future questions in forum54. Topic comes up there frequently.
Couple of points to pay particular attention to . . .
Enable connection tracking. You can either load as a module, or compile into the kernel. Loading the module doesn't require recompiling the kernel, but it is generally accepted that compiling the kernel is slightly more secure. You will also need to add support for the FTP module.
You will only need to open ports 20 & 21. Anyone connecting to your FTP server will make the initial connection on these ports, the other ports are negotiated and opened after the fact and connection tracking will open these dynamically.
After you have looked at the docs, you may want to post future questions in forum54. Topic comes up there frequently.
- Thread starter
- #3
Thank you for the reply.
Will do. What in your opinion is the best way for ftp connections? Pasv of port type connections?
I will have to look into Netfilter since i am now using Winroute pro on a windows machine for nat and packetfilter.
It's a Pentium I 90 Mhz with 64 MB ram. You think without X that that will cut it on such a pc configuration?
Also i have to look into recompiling the kernel. I am using Linux for only 2 months now.
Will do. What in your opinion is the best way for ftp connections? Pasv of port type connections?
I will have to look into Netfilter since i am now using Winroute pro on a windows machine for nat and packetfilter.
It's a Pentium I 90 Mhz with 64 MB ram. You think without X that that will cut it on such a pc configuration?
Also i have to look into recompiling the kernel. I am using Linux for only 2 months now.
- Status
Similar threads
- Locked
- Question
- Locked
- Question