David Elze wrote:
Well, I needed the exact same thing and did it with pure-ftpd[1] via the
command-line option "-p 50000:50400" and an pf.conf entry like "pass in
on $if tcp from any to $if port 50000:50400". Maybe this is an option
for you too.
Hello,
thanks for your feedback, David. And for yours too, Per-Olov.
But that4s not exactly what I want, maybe my description has not been
clear enough as I in my first posting I had forgotten to mention what I
wrote a few minutes later in a short follow-up to my own text.
The scenario is the following one:
My intention is that I do not want to allow the ftp-daemon to offer all
so-called well-known ports as passive ports to the publicity which
accesses one of our public ftp servers.
The next point is that it is not only a very small range of ports (or in
the most extreme case: a single port) which shall be offered as
accessable, but the very small range of ports (or a single port) has to
change at regular short intervals so that in case a hacker or
person/software trying-to-intrude even if detecting an open port by
coincidence does not know which will be the next open port in the
shortest possible interval, as it (the next open port) is calculated by
random generation.
Both, the ftp-daemon and pf have to know this very small range of ports
(or the single open port) and have to handle this.
The advantage is that even in case there are existing/running ftp
connections using open passive ports AND with beginning of the next
interval of generation an other open passive port is propagated, the
open port(s) of the still running ftp connections are not lost as long
as the new pf rule is only loaded and the pf states are not flushed.
Meanwhile I have thought about it a bit more and written and tested a
script which does exactly that. As I am not sure whether it is of
interest, I want to ask if I shall post it here?
Have a nice day
Michael
--
Michael Schmidt MIRRORS:
DJGPP ftp://ftp.fh-koblenz.de/pub/DJGPP/
Ghostscript ftp://ftp.fh-koblenz.de/pub/Ghostscript/
