How to set the passive port range of ftpd?
I am using ftpd
on a freshly installed FreeBSD machine. (A raspberry pi, but I do not think that matters for this question). Unfortunately this server is behind a router so I need to put port forwards, which is fine, I know how to do this. The problem is that I have no way of knowing which port the server will pick for its passive connections. Also, the man page for ftpd
does not give me an idea on how to limit the range for passive ports.
How do I limit the port range used by ftpd
as passive ports? For example set it to 50100 - 50200.
ftp freebsd
add a comment |
I am using ftpd
on a freshly installed FreeBSD machine. (A raspberry pi, but I do not think that matters for this question). Unfortunately this server is behind a router so I need to put port forwards, which is fine, I know how to do this. The problem is that I have no way of knowing which port the server will pick for its passive connections. Also, the man page for ftpd
does not give me an idea on how to limit the range for passive ports.
How do I limit the port range used by ftpd
as passive ports? For example set it to 50100 - 50200.
ftp freebsd
add a comment |
I am using ftpd
on a freshly installed FreeBSD machine. (A raspberry pi, but I do not think that matters for this question). Unfortunately this server is behind a router so I need to put port forwards, which is fine, I know how to do this. The problem is that I have no way of knowing which port the server will pick for its passive connections. Also, the man page for ftpd
does not give me an idea on how to limit the range for passive ports.
How do I limit the port range used by ftpd
as passive ports? For example set it to 50100 - 50200.
ftp freebsd
I am using ftpd
on a freshly installed FreeBSD machine. (A raspberry pi, but I do not think that matters for this question). Unfortunately this server is behind a router so I need to put port forwards, which is fine, I know how to do this. The problem is that I have no way of knowing which port the server will pick for its passive connections. Also, the man page for ftpd
does not give me an idea on how to limit the range for passive ports.
How do I limit the port range used by ftpd
as passive ports? For example set it to 50100 - 50200.
ftp freebsd
ftp freebsd
asked Feb 9 at 16:29
BazzzBazzz
12017
12017
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Looking at the FreeBSD ftpd source code there is a "-U" (capital U) option that indirectly lets you control the range of data ports. This is documented in the FreeBSD ftpd man page, once you've specified it on the command line of ftpd, you can control the port range by adjusting the system settings as described in the FreeBSD ip man page (scroll down to "IP_PORTRANGE" in the document to see the details on the net.inet.ip.portrange.first and net.inet.ip.portrange.last settings).
This is a system-wide setting so it will affect any other programs on the server that also check for the IP_PORTRANGE settings before opening up a socket. This means other services might accidentally be allowed through your router because they're using the same port range allowed for ftpd. If ftpd is the only service on the Pi then this probably doesn't matter.
Another option is to install vsfptd, which according to this answer lets you specify the passive port range in vsfptd.conf. These settings only affect the vsftpd daemon, and won't change the behavior of anything else on the system.
Thanks for your answer. I also looked in the source code and found that on line 2906 and on 3021 it is doing "something" with port ranges. My knowledge of C is not enough to completely understand what is going on but it seems like it is checking whether the constant IP_PORTRANGE is set, and if so does something with it. I would have assumed that I could set that constant somewhere. Not?
– Bazzz
Feb 10 at 8:45
You're absolutely right! Before I composed my first cut of the answer, I had followed that code enough to see that it was a compile-time option, but I didn't think you wanted to recompile FreeBSD for this project. However, I missed that it was keyed to the command-line option which then referenced the tuneable system settings. Really, this is a kludge - there should be settings specific to ftpd, as there are in vsftpd and most other FTP servers - you shouldn't have to adjust system-wide parameters to control the behavior of a single daemon.
– Velo Traveler
Feb 10 at 16:18
Considering that it is a simple Pi with just one real daemon I think I might go for changing the values ofnet.inet.ip.portrange.hifirst
andnet.inet.ip.portrange.hilast
using sysctrl. I believe then nothing needs to be changed to ftpd, however I do agree with you that this is not really the way I assumed things should work. :) I will try this in the upcoming days and if it works I'll accept the answer.
– Bazzz
Feb 10 at 16:51
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1403910%2fhow-to-set-the-passive-port-range-of-ftpd%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Looking at the FreeBSD ftpd source code there is a "-U" (capital U) option that indirectly lets you control the range of data ports. This is documented in the FreeBSD ftpd man page, once you've specified it on the command line of ftpd, you can control the port range by adjusting the system settings as described in the FreeBSD ip man page (scroll down to "IP_PORTRANGE" in the document to see the details on the net.inet.ip.portrange.first and net.inet.ip.portrange.last settings).
This is a system-wide setting so it will affect any other programs on the server that also check for the IP_PORTRANGE settings before opening up a socket. This means other services might accidentally be allowed through your router because they're using the same port range allowed for ftpd. If ftpd is the only service on the Pi then this probably doesn't matter.
Another option is to install vsfptd, which according to this answer lets you specify the passive port range in vsfptd.conf. These settings only affect the vsftpd daemon, and won't change the behavior of anything else on the system.
Thanks for your answer. I also looked in the source code and found that on line 2906 and on 3021 it is doing "something" with port ranges. My knowledge of C is not enough to completely understand what is going on but it seems like it is checking whether the constant IP_PORTRANGE is set, and if so does something with it. I would have assumed that I could set that constant somewhere. Not?
– Bazzz
Feb 10 at 8:45
You're absolutely right! Before I composed my first cut of the answer, I had followed that code enough to see that it was a compile-time option, but I didn't think you wanted to recompile FreeBSD for this project. However, I missed that it was keyed to the command-line option which then referenced the tuneable system settings. Really, this is a kludge - there should be settings specific to ftpd, as there are in vsftpd and most other FTP servers - you shouldn't have to adjust system-wide parameters to control the behavior of a single daemon.
– Velo Traveler
Feb 10 at 16:18
Considering that it is a simple Pi with just one real daemon I think I might go for changing the values ofnet.inet.ip.portrange.hifirst
andnet.inet.ip.portrange.hilast
using sysctrl. I believe then nothing needs to be changed to ftpd, however I do agree with you that this is not really the way I assumed things should work. :) I will try this in the upcoming days and if it works I'll accept the answer.
– Bazzz
Feb 10 at 16:51
add a comment |
Looking at the FreeBSD ftpd source code there is a "-U" (capital U) option that indirectly lets you control the range of data ports. This is documented in the FreeBSD ftpd man page, once you've specified it on the command line of ftpd, you can control the port range by adjusting the system settings as described in the FreeBSD ip man page (scroll down to "IP_PORTRANGE" in the document to see the details on the net.inet.ip.portrange.first and net.inet.ip.portrange.last settings).
This is a system-wide setting so it will affect any other programs on the server that also check for the IP_PORTRANGE settings before opening up a socket. This means other services might accidentally be allowed through your router because they're using the same port range allowed for ftpd. If ftpd is the only service on the Pi then this probably doesn't matter.
Another option is to install vsfptd, which according to this answer lets you specify the passive port range in vsfptd.conf. These settings only affect the vsftpd daemon, and won't change the behavior of anything else on the system.
Thanks for your answer. I also looked in the source code and found that on line 2906 and on 3021 it is doing "something" with port ranges. My knowledge of C is not enough to completely understand what is going on but it seems like it is checking whether the constant IP_PORTRANGE is set, and if so does something with it. I would have assumed that I could set that constant somewhere. Not?
– Bazzz
Feb 10 at 8:45
You're absolutely right! Before I composed my first cut of the answer, I had followed that code enough to see that it was a compile-time option, but I didn't think you wanted to recompile FreeBSD for this project. However, I missed that it was keyed to the command-line option which then referenced the tuneable system settings. Really, this is a kludge - there should be settings specific to ftpd, as there are in vsftpd and most other FTP servers - you shouldn't have to adjust system-wide parameters to control the behavior of a single daemon.
– Velo Traveler
Feb 10 at 16:18
Considering that it is a simple Pi with just one real daemon I think I might go for changing the values ofnet.inet.ip.portrange.hifirst
andnet.inet.ip.portrange.hilast
using sysctrl. I believe then nothing needs to be changed to ftpd, however I do agree with you that this is not really the way I assumed things should work. :) I will try this in the upcoming days and if it works I'll accept the answer.
– Bazzz
Feb 10 at 16:51
add a comment |
Looking at the FreeBSD ftpd source code there is a "-U" (capital U) option that indirectly lets you control the range of data ports. This is documented in the FreeBSD ftpd man page, once you've specified it on the command line of ftpd, you can control the port range by adjusting the system settings as described in the FreeBSD ip man page (scroll down to "IP_PORTRANGE" in the document to see the details on the net.inet.ip.portrange.first and net.inet.ip.portrange.last settings).
This is a system-wide setting so it will affect any other programs on the server that also check for the IP_PORTRANGE settings before opening up a socket. This means other services might accidentally be allowed through your router because they're using the same port range allowed for ftpd. If ftpd is the only service on the Pi then this probably doesn't matter.
Another option is to install vsfptd, which according to this answer lets you specify the passive port range in vsfptd.conf. These settings only affect the vsftpd daemon, and won't change the behavior of anything else on the system.
Looking at the FreeBSD ftpd source code there is a "-U" (capital U) option that indirectly lets you control the range of data ports. This is documented in the FreeBSD ftpd man page, once you've specified it on the command line of ftpd, you can control the port range by adjusting the system settings as described in the FreeBSD ip man page (scroll down to "IP_PORTRANGE" in the document to see the details on the net.inet.ip.portrange.first and net.inet.ip.portrange.last settings).
This is a system-wide setting so it will affect any other programs on the server that also check for the IP_PORTRANGE settings before opening up a socket. This means other services might accidentally be allowed through your router because they're using the same port range allowed for ftpd. If ftpd is the only service on the Pi then this probably doesn't matter.
Another option is to install vsfptd, which according to this answer lets you specify the passive port range in vsfptd.conf. These settings only affect the vsftpd daemon, and won't change the behavior of anything else on the system.
edited Feb 10 at 16:08
answered Feb 9 at 20:28
Velo TravelerVelo Traveler
1294
1294
Thanks for your answer. I also looked in the source code and found that on line 2906 and on 3021 it is doing "something" with port ranges. My knowledge of C is not enough to completely understand what is going on but it seems like it is checking whether the constant IP_PORTRANGE is set, and if so does something with it. I would have assumed that I could set that constant somewhere. Not?
– Bazzz
Feb 10 at 8:45
You're absolutely right! Before I composed my first cut of the answer, I had followed that code enough to see that it was a compile-time option, but I didn't think you wanted to recompile FreeBSD for this project. However, I missed that it was keyed to the command-line option which then referenced the tuneable system settings. Really, this is a kludge - there should be settings specific to ftpd, as there are in vsftpd and most other FTP servers - you shouldn't have to adjust system-wide parameters to control the behavior of a single daemon.
– Velo Traveler
Feb 10 at 16:18
Considering that it is a simple Pi with just one real daemon I think I might go for changing the values ofnet.inet.ip.portrange.hifirst
andnet.inet.ip.portrange.hilast
using sysctrl. I believe then nothing needs to be changed to ftpd, however I do agree with you that this is not really the way I assumed things should work. :) I will try this in the upcoming days and if it works I'll accept the answer.
– Bazzz
Feb 10 at 16:51
add a comment |
Thanks for your answer. I also looked in the source code and found that on line 2906 and on 3021 it is doing "something" with port ranges. My knowledge of C is not enough to completely understand what is going on but it seems like it is checking whether the constant IP_PORTRANGE is set, and if so does something with it. I would have assumed that I could set that constant somewhere. Not?
– Bazzz
Feb 10 at 8:45
You're absolutely right! Before I composed my first cut of the answer, I had followed that code enough to see that it was a compile-time option, but I didn't think you wanted to recompile FreeBSD for this project. However, I missed that it was keyed to the command-line option which then referenced the tuneable system settings. Really, this is a kludge - there should be settings specific to ftpd, as there are in vsftpd and most other FTP servers - you shouldn't have to adjust system-wide parameters to control the behavior of a single daemon.
– Velo Traveler
Feb 10 at 16:18
Considering that it is a simple Pi with just one real daemon I think I might go for changing the values ofnet.inet.ip.portrange.hifirst
andnet.inet.ip.portrange.hilast
using sysctrl. I believe then nothing needs to be changed to ftpd, however I do agree with you that this is not really the way I assumed things should work. :) I will try this in the upcoming days and if it works I'll accept the answer.
– Bazzz
Feb 10 at 16:51
Thanks for your answer. I also looked in the source code and found that on line 2906 and on 3021 it is doing "something" with port ranges. My knowledge of C is not enough to completely understand what is going on but it seems like it is checking whether the constant IP_PORTRANGE is set, and if so does something with it. I would have assumed that I could set that constant somewhere. Not?
– Bazzz
Feb 10 at 8:45
Thanks for your answer. I also looked in the source code and found that on line 2906 and on 3021 it is doing "something" with port ranges. My knowledge of C is not enough to completely understand what is going on but it seems like it is checking whether the constant IP_PORTRANGE is set, and if so does something with it. I would have assumed that I could set that constant somewhere. Not?
– Bazzz
Feb 10 at 8:45
You're absolutely right! Before I composed my first cut of the answer, I had followed that code enough to see that it was a compile-time option, but I didn't think you wanted to recompile FreeBSD for this project. However, I missed that it was keyed to the command-line option which then referenced the tuneable system settings. Really, this is a kludge - there should be settings specific to ftpd, as there are in vsftpd and most other FTP servers - you shouldn't have to adjust system-wide parameters to control the behavior of a single daemon.
– Velo Traveler
Feb 10 at 16:18
You're absolutely right! Before I composed my first cut of the answer, I had followed that code enough to see that it was a compile-time option, but I didn't think you wanted to recompile FreeBSD for this project. However, I missed that it was keyed to the command-line option which then referenced the tuneable system settings. Really, this is a kludge - there should be settings specific to ftpd, as there are in vsftpd and most other FTP servers - you shouldn't have to adjust system-wide parameters to control the behavior of a single daemon.
– Velo Traveler
Feb 10 at 16:18
Considering that it is a simple Pi with just one real daemon I think I might go for changing the values of
net.inet.ip.portrange.hifirst
and net.inet.ip.portrange.hilast
using sysctrl. I believe then nothing needs to be changed to ftpd, however I do agree with you that this is not really the way I assumed things should work. :) I will try this in the upcoming days and if it works I'll accept the answer.– Bazzz
Feb 10 at 16:51
Considering that it is a simple Pi with just one real daemon I think I might go for changing the values of
net.inet.ip.portrange.hifirst
and net.inet.ip.portrange.hilast
using sysctrl. I believe then nothing needs to be changed to ftpd, however I do agree with you that this is not really the way I assumed things should work. :) I will try this in the upcoming days and if it works I'll accept the answer.– Bazzz
Feb 10 at 16:51
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1403910%2fhow-to-set-the-passive-port-range-of-ftpd%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown