Any danger from these ports?

Alexander Dalloz ad+lists at
Thu Jan 13 00:03:18 UTC 2005

Am Mi, den 12.01.2005 schrieb Charles R. Anderson um 17:03:

> Passive FTP listens on random local ephemeral ports for data
> connections set up by the 21/tcp control stream.  If you are not using
> a stateful firewall with a FTP helper, then you need to allow incoming
> TCP connections to whatever range your FTP server uses for passive FTP
> (defaults to the entire local port range).  This is why I have always
> set up my FTP server similar to this (older box using ipchains):
> /etc/sysctl.conf:
> net.ipv4.ip_local_port_range = 60000 65535
> /etc/vsftpd.conf:
> pasv_min_port=59000
> pasv_max_port=59999
> /etc/sysconfig/ipchains:
> -A input -i eth0 -s -d 21:21 -p 6 -j ACCEPT
> -A input -i eth0 -s -d 0:58999 -p 6 -l -j DENY
> -A input -i eth0 -s -d 59000:59999 -p 6 -j ACCEPT
> -A input -i eth0 -s -d 60000:65535 -p 6 -y -l -j DENY

It is much better to use ip_conntrack_ftp iptables helper module and the
stateful capabilities of iptables (ESTABLISHED,RELATED) rather than to
"blindly" open a range of high ports. Why using ipchains, which is not
stateful, when having iptables?
Easily be done with the default Fedora Core iptables rules by adding
ip_conntrack_ftp into IPTABLES_MODULES="" in


Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773
legal statement:
Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.10-1.8_FC2smp 
Serendipity 00:55:04 up 1 day, 23:05, load average: 0.98, 0.85, 0.71 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : 

More information about the test mailing list