Need advice with IPFW/Pure-FTP

[Sigfrido]

Hi!

I've got a problem using Pure-FTP (unfortunately I need it instead scp) with IPFW on FreeBSD 8.2: I'm not sure of my configuration, services are working regularly but I've got some concerns about security risks.

Type of connection: passive

I've settled the passive port range inside /usr/local/etc/pure-ftpd.conf:

# Port range for passive connections replies. - for firewalling.

PassivePortRange          49160 49170

Then I've enabled a specific ruleset for FTP connections in my ipfw.rules:

# FTP = TCP/21
$cmd 00070 allow tcp from any to me 21 in keep-state
$cmd 00075 allow tcp from any to me 49160-49170 in keep-state
$cmd 00080 allow tcp from me 21 to any out keep-state
$cmd 00085 allow tcp from me 49160-49170 to any out keep-state

Does it sound fine?

Are there some major issues with these rules according to my premise (= I can't replace Pure-FTP with scp)?

Any suggestion?

Thanks in advance

 

[plamaiziere]

Hi!

# FTP = TCP/21
$cmd 00070 allow tcp from any to me 21 in keep-state
$cmd 00075 allow tcp from any to me 49160-49170 in keep-state
$cmd 00080 allow tcp from me 21 to any out keep-state
$cmd 00085 allow tcp from me 49160-49170 to any out keep-state

Does it sound fine?

Yes. But you need to open the "portrange" only in incoming.
IMO (not sure) you should use a range into the "registered port range" (1024..49151), not the dynamic one.

Regards.

 

[Sigfrido]

Yes. But you need to open the "portrange" only in incoming.
IMO (not sure) you should use a range into the "registered port range" (1024..49151), not the dynamic one.

Regards.

so

# FTP = TCP/21
$cmd 00070 allow tcp from any to me 21 in keep-state
$cmd 00075 allow tcp from any to me 49160-49170 in keep-state
$cmd 00080 allow tcp from me 21 to any out keep-state

for portrange, any tech reference available? I've found only one recommendation to use non-privileged range (>= to 1024).

Any hint about the portrange width (to handle many simultaneous connections)?

Thanks!