Any danger from these ports?

Charles R. Anderson cra at WPI.EDU
Wed Jan 12 16:03:00 UTC 2005

On Wed, Jan 12, 2005 at 09:49:01AM -0600, Rodolfo J. Paiz wrote:
> On Wed, 2005-01-12 at 15:45 +0100, Kyrre Ness Sjobak wrote:
> > Hmm... Just thougth i should mention it, when i switched on "allow FTP"
> > on system-config-network on a fedora box a year ago, it did fail to open
> > ports for passive FTP...
> > 
> I'm not aware of there being any need to open additional ports for
> passive FTP. What do you mean?

Passive FTP listens on random local ephemeral ports for data
connections set up by the 21/tcp control stream.  If you are not using
a stateful firewall with a FTP helper, then you need to allow incoming
TCP connections to whatever range your FTP server uses for passive FTP
(defaults to the entire local port range).  This is why I have always
set up my FTP server similar to this (older box using ipchains):

net.ipv4.ip_local_port_range = 60000 65535


-A input -i eth0 -s -d 21:21 -p 6 -j ACCEPT
-A input -i eth0 -s -d 0:58999 -p 6 -l -j DENY
-A input -i eth0 -s -d 59000:59999 -p 6 -j ACCEPT
-A input -i eth0 -s -d 60000:65535 -p 6 -y -l -j DENY

More information about the test mailing list