[Firehol-support] ftp passiveports

Costa Tsaousis costa at tsaousis.gr
Fri Feb 4 19:41:19 GMT 2005


FireHOL automatically selects (for passive FTP):

1. DEFAULT_CLIENT_PORTS (by default set to 1024:65535) if the ports used
refer to a remote host.

2. LOCAL_CLIENT_PORTS (probed by kernel config, most linux kernels set
this to 32768:65000) if the ports used refer to a local host.

In all cases, FireHOL allows passive FTP as with state RELATED, meaning
that the iptables connection tracker has successfully intercepted a
passive ftp connection.

As of v1.226, you cannot change this behaviour. You can of course overload
the service definition. Check the manual for this.


> In proftpd.conf I insert the line
>       PassivePorts  25400 29999
> then firehol dont allow passive ftp-transfer from a client.
> Active mode is working OK.
> When I skip the line PassivePorts 25400 29999 in proftpd.conf then passive
> mode is working fine.
> The ftp-server is invoked via xinetd
> Is there any firehol-parameters to setup which ports are passive ftp
> ports.
> regards, Klavs

More information about the Firehol-support mailing list