On Wed, Mar 29, 2006 at 12:08:04PM +0200, Michael Schmidt wrote: > David Elze wrote: > > >Well, I needed the exact same thing and did it with pure-ftpd[1] via the > >command-line option "-p 50000:50400" and an pf.conf entry like "pass in > >on $if tcp from any to $if port 50000:50400". Maybe this is an option > >for you too. > > > > > > Hello, > > thanks for your feedback, David. And for yours too, Per-Olov. > But that4s not exactly what I want, maybe my description has not been > clear enough as I in my first posting I had forgotten to mention what I > wrote a few minutes later in a short follow-up to my own text. > > The scenario is the following one: > > My intention is that I do not want to allow the ftp-daemon to offer all > so-called well-known ports as passive ports to the publicity which > accesses one of our public ftp servers. > > The next point is that it is not only a very small range of ports (or in > the most extreme case: a single port) which shall be offered as > accessable, but the very small range of ports (or a single port) has to > change at regular short intervals so that in case a hacker or > person/software trying-to-intrude even if detecting an open port by > coincidence does not know which will be the next open port in the > shortest possible interval, as it (the next open port) is calculated by > random generation. > > Both, the ftp-daemon and pf have to know this very small range of ports > (or the single open port) and have to handle this. > The advantage is that even in case there are existing/running ftp > connections using open passive ports AND with beginning of the next > interval of generation an other open passive port is propagated, the > open port(s) of the still running ftp connections are not lost as long > as the new pf rule is only loaded and the pf states are not flushed. > > Meanwhile I have thought about it a bit more and written and tested a > script which does exactly that. As I am not sure whether it is of > interest, I want to ask if I shall post it here? > > Have a nice day > Michael > > -- > Michael Schmidt MIRRORS: > DJGPP ftp://ftp.fh-koblenz.de/pub/DJGPP/ > Ghostscript ftp://ftp.fh-koblenz.de/pub/Ghostscript/ > >
I think this portrange thing and writing scripts is not needed. These rules should be enough for anonymous ftp (if you used the OpenBSD ftpd and set it up like described in the manpage): pass in on $ext_if proto tcp ... port ftp keep state pass in on $ext_if proto tcp ... port > 49151 user ftp keep state It should also work with multiple users (using groups), bit I didn't try it. Tobias
