How to set the passive port range of ftpd?












0















I am using ftpd on a freshly installed FreeBSD machine. (A raspberry pi, but I do not think that matters for this question). Unfortunately this server is behind a router so I need to put port forwards, which is fine, I know how to do this. The problem is that I have no way of knowing which port the server will pick for its passive connections. Also, the man page for ftpd does not give me an idea on how to limit the range for passive ports.



How do I limit the port range used by ftpd as passive ports? For example set it to 50100 - 50200.










share|improve this question



























    0















    I am using ftpd on a freshly installed FreeBSD machine. (A raspberry pi, but I do not think that matters for this question). Unfortunately this server is behind a router so I need to put port forwards, which is fine, I know how to do this. The problem is that I have no way of knowing which port the server will pick for its passive connections. Also, the man page for ftpd does not give me an idea on how to limit the range for passive ports.



    How do I limit the port range used by ftpd as passive ports? For example set it to 50100 - 50200.










    share|improve this question

























      0












      0








      0








      I am using ftpd on a freshly installed FreeBSD machine. (A raspberry pi, but I do not think that matters for this question). Unfortunately this server is behind a router so I need to put port forwards, which is fine, I know how to do this. The problem is that I have no way of knowing which port the server will pick for its passive connections. Also, the man page for ftpd does not give me an idea on how to limit the range for passive ports.



      How do I limit the port range used by ftpd as passive ports? For example set it to 50100 - 50200.










      share|improve this question














      I am using ftpd on a freshly installed FreeBSD machine. (A raspberry pi, but I do not think that matters for this question). Unfortunately this server is behind a router so I need to put port forwards, which is fine, I know how to do this. The problem is that I have no way of knowing which port the server will pick for its passive connections. Also, the man page for ftpd does not give me an idea on how to limit the range for passive ports.



      How do I limit the port range used by ftpd as passive ports? For example set it to 50100 - 50200.







      ftp freebsd






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Feb 9 at 16:29









      BazzzBazzz

      12017




      12017






















          1 Answer
          1






          active

          oldest

          votes


















          1














          Looking at the FreeBSD ftpd source code there is a "-U" (capital U) option that indirectly lets you control the range of data ports. This is documented in the FreeBSD ftpd man page, once you've specified it on the command line of ftpd, you can control the port range by adjusting the system settings as described in the FreeBSD ip man page (scroll down to "IP_PORTRANGE" in the document to see the details on the net.inet.ip.portrange.first and net.inet.ip.portrange.last settings).



          This is a system-wide setting so it will affect any other programs on the server that also check for the IP_PORTRANGE settings before opening up a socket. This means other services might accidentally be allowed through your router because they're using the same port range allowed for ftpd. If ftpd is the only service on the Pi then this probably doesn't matter.



          Another option is to install vsfptd, which according to this answer lets you specify the passive port range in vsfptd.conf. These settings only affect the vsftpd daemon, and won't change the behavior of anything else on the system.






          share|improve this answer


























          • Thanks for your answer. I also looked in the source code and found that on line 2906 and on 3021 it is doing "something" with port ranges. My knowledge of C is not enough to completely understand what is going on but it seems like it is checking whether the constant IP_PORTRANGE is set, and if so does something with it. I would have assumed that I could set that constant somewhere. Not?

            – Bazzz
            Feb 10 at 8:45











          • You're absolutely right! Before I composed my first cut of the answer, I had followed that code enough to see that it was a compile-time option, but I didn't think you wanted to recompile FreeBSD for this project. However, I missed that it was keyed to the command-line option which then referenced the tuneable system settings. Really, this is a kludge - there should be settings specific to ftpd, as there are in vsftpd and most other FTP servers - you shouldn't have to adjust system-wide parameters to control the behavior of a single daemon.

            – Velo Traveler
            Feb 10 at 16:18











          • Considering that it is a simple Pi with just one real daemon I think I might go for changing the values of net.inet.ip.portrange.hifirst and net.inet.ip.portrange.hilast using sysctrl. I believe then nothing needs to be changed to ftpd, however I do agree with you that this is not really the way I assumed things should work. :) I will try this in the upcoming days and if it works I'll accept the answer.

            – Bazzz
            Feb 10 at 16:51











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1403910%2fhow-to-set-the-passive-port-range-of-ftpd%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          Looking at the FreeBSD ftpd source code there is a "-U" (capital U) option that indirectly lets you control the range of data ports. This is documented in the FreeBSD ftpd man page, once you've specified it on the command line of ftpd, you can control the port range by adjusting the system settings as described in the FreeBSD ip man page (scroll down to "IP_PORTRANGE" in the document to see the details on the net.inet.ip.portrange.first and net.inet.ip.portrange.last settings).



          This is a system-wide setting so it will affect any other programs on the server that also check for the IP_PORTRANGE settings before opening up a socket. This means other services might accidentally be allowed through your router because they're using the same port range allowed for ftpd. If ftpd is the only service on the Pi then this probably doesn't matter.



          Another option is to install vsfptd, which according to this answer lets you specify the passive port range in vsfptd.conf. These settings only affect the vsftpd daemon, and won't change the behavior of anything else on the system.






          share|improve this answer


























          • Thanks for your answer. I also looked in the source code and found that on line 2906 and on 3021 it is doing "something" with port ranges. My knowledge of C is not enough to completely understand what is going on but it seems like it is checking whether the constant IP_PORTRANGE is set, and if so does something with it. I would have assumed that I could set that constant somewhere. Not?

            – Bazzz
            Feb 10 at 8:45











          • You're absolutely right! Before I composed my first cut of the answer, I had followed that code enough to see that it was a compile-time option, but I didn't think you wanted to recompile FreeBSD for this project. However, I missed that it was keyed to the command-line option which then referenced the tuneable system settings. Really, this is a kludge - there should be settings specific to ftpd, as there are in vsftpd and most other FTP servers - you shouldn't have to adjust system-wide parameters to control the behavior of a single daemon.

            – Velo Traveler
            Feb 10 at 16:18











          • Considering that it is a simple Pi with just one real daemon I think I might go for changing the values of net.inet.ip.portrange.hifirst and net.inet.ip.portrange.hilast using sysctrl. I believe then nothing needs to be changed to ftpd, however I do agree with you that this is not really the way I assumed things should work. :) I will try this in the upcoming days and if it works I'll accept the answer.

            – Bazzz
            Feb 10 at 16:51
















          1














          Looking at the FreeBSD ftpd source code there is a "-U" (capital U) option that indirectly lets you control the range of data ports. This is documented in the FreeBSD ftpd man page, once you've specified it on the command line of ftpd, you can control the port range by adjusting the system settings as described in the FreeBSD ip man page (scroll down to "IP_PORTRANGE" in the document to see the details on the net.inet.ip.portrange.first and net.inet.ip.portrange.last settings).



          This is a system-wide setting so it will affect any other programs on the server that also check for the IP_PORTRANGE settings before opening up a socket. This means other services might accidentally be allowed through your router because they're using the same port range allowed for ftpd. If ftpd is the only service on the Pi then this probably doesn't matter.



          Another option is to install vsfptd, which according to this answer lets you specify the passive port range in vsfptd.conf. These settings only affect the vsftpd daemon, and won't change the behavior of anything else on the system.






          share|improve this answer


























          • Thanks for your answer. I also looked in the source code and found that on line 2906 and on 3021 it is doing "something" with port ranges. My knowledge of C is not enough to completely understand what is going on but it seems like it is checking whether the constant IP_PORTRANGE is set, and if so does something with it. I would have assumed that I could set that constant somewhere. Not?

            – Bazzz
            Feb 10 at 8:45











          • You're absolutely right! Before I composed my first cut of the answer, I had followed that code enough to see that it was a compile-time option, but I didn't think you wanted to recompile FreeBSD for this project. However, I missed that it was keyed to the command-line option which then referenced the tuneable system settings. Really, this is a kludge - there should be settings specific to ftpd, as there are in vsftpd and most other FTP servers - you shouldn't have to adjust system-wide parameters to control the behavior of a single daemon.

            – Velo Traveler
            Feb 10 at 16:18











          • Considering that it is a simple Pi with just one real daemon I think I might go for changing the values of net.inet.ip.portrange.hifirst and net.inet.ip.portrange.hilast using sysctrl. I believe then nothing needs to be changed to ftpd, however I do agree with you that this is not really the way I assumed things should work. :) I will try this in the upcoming days and if it works I'll accept the answer.

            – Bazzz
            Feb 10 at 16:51














          1












          1








          1







          Looking at the FreeBSD ftpd source code there is a "-U" (capital U) option that indirectly lets you control the range of data ports. This is documented in the FreeBSD ftpd man page, once you've specified it on the command line of ftpd, you can control the port range by adjusting the system settings as described in the FreeBSD ip man page (scroll down to "IP_PORTRANGE" in the document to see the details on the net.inet.ip.portrange.first and net.inet.ip.portrange.last settings).



          This is a system-wide setting so it will affect any other programs on the server that also check for the IP_PORTRANGE settings before opening up a socket. This means other services might accidentally be allowed through your router because they're using the same port range allowed for ftpd. If ftpd is the only service on the Pi then this probably doesn't matter.



          Another option is to install vsfptd, which according to this answer lets you specify the passive port range in vsfptd.conf. These settings only affect the vsftpd daemon, and won't change the behavior of anything else on the system.






          share|improve this answer















          Looking at the FreeBSD ftpd source code there is a "-U" (capital U) option that indirectly lets you control the range of data ports. This is documented in the FreeBSD ftpd man page, once you've specified it on the command line of ftpd, you can control the port range by adjusting the system settings as described in the FreeBSD ip man page (scroll down to "IP_PORTRANGE" in the document to see the details on the net.inet.ip.portrange.first and net.inet.ip.portrange.last settings).



          This is a system-wide setting so it will affect any other programs on the server that also check for the IP_PORTRANGE settings before opening up a socket. This means other services might accidentally be allowed through your router because they're using the same port range allowed for ftpd. If ftpd is the only service on the Pi then this probably doesn't matter.



          Another option is to install vsfptd, which according to this answer lets you specify the passive port range in vsfptd.conf. These settings only affect the vsftpd daemon, and won't change the behavior of anything else on the system.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Feb 10 at 16:08

























          answered Feb 9 at 20:28









          Velo TravelerVelo Traveler

          1294




          1294













          • Thanks for your answer. I also looked in the source code and found that on line 2906 and on 3021 it is doing "something" with port ranges. My knowledge of C is not enough to completely understand what is going on but it seems like it is checking whether the constant IP_PORTRANGE is set, and if so does something with it. I would have assumed that I could set that constant somewhere. Not?

            – Bazzz
            Feb 10 at 8:45











          • You're absolutely right! Before I composed my first cut of the answer, I had followed that code enough to see that it was a compile-time option, but I didn't think you wanted to recompile FreeBSD for this project. However, I missed that it was keyed to the command-line option which then referenced the tuneable system settings. Really, this is a kludge - there should be settings specific to ftpd, as there are in vsftpd and most other FTP servers - you shouldn't have to adjust system-wide parameters to control the behavior of a single daemon.

            – Velo Traveler
            Feb 10 at 16:18











          • Considering that it is a simple Pi with just one real daemon I think I might go for changing the values of net.inet.ip.portrange.hifirst and net.inet.ip.portrange.hilast using sysctrl. I believe then nothing needs to be changed to ftpd, however I do agree with you that this is not really the way I assumed things should work. :) I will try this in the upcoming days and if it works I'll accept the answer.

            – Bazzz
            Feb 10 at 16:51



















          • Thanks for your answer. I also looked in the source code and found that on line 2906 and on 3021 it is doing "something" with port ranges. My knowledge of C is not enough to completely understand what is going on but it seems like it is checking whether the constant IP_PORTRANGE is set, and if so does something with it. I would have assumed that I could set that constant somewhere. Not?

            – Bazzz
            Feb 10 at 8:45











          • You're absolutely right! Before I composed my first cut of the answer, I had followed that code enough to see that it was a compile-time option, but I didn't think you wanted to recompile FreeBSD for this project. However, I missed that it was keyed to the command-line option which then referenced the tuneable system settings. Really, this is a kludge - there should be settings specific to ftpd, as there are in vsftpd and most other FTP servers - you shouldn't have to adjust system-wide parameters to control the behavior of a single daemon.

            – Velo Traveler
            Feb 10 at 16:18











          • Considering that it is a simple Pi with just one real daemon I think I might go for changing the values of net.inet.ip.portrange.hifirst and net.inet.ip.portrange.hilast using sysctrl. I believe then nothing needs to be changed to ftpd, however I do agree with you that this is not really the way I assumed things should work. :) I will try this in the upcoming days and if it works I'll accept the answer.

            – Bazzz
            Feb 10 at 16:51

















          Thanks for your answer. I also looked in the source code and found that on line 2906 and on 3021 it is doing "something" with port ranges. My knowledge of C is not enough to completely understand what is going on but it seems like it is checking whether the constant IP_PORTRANGE is set, and if so does something with it. I would have assumed that I could set that constant somewhere. Not?

          – Bazzz
          Feb 10 at 8:45





          Thanks for your answer. I also looked in the source code and found that on line 2906 and on 3021 it is doing "something" with port ranges. My knowledge of C is not enough to completely understand what is going on but it seems like it is checking whether the constant IP_PORTRANGE is set, and if so does something with it. I would have assumed that I could set that constant somewhere. Not?

          – Bazzz
          Feb 10 at 8:45













          You're absolutely right! Before I composed my first cut of the answer, I had followed that code enough to see that it was a compile-time option, but I didn't think you wanted to recompile FreeBSD for this project. However, I missed that it was keyed to the command-line option which then referenced the tuneable system settings. Really, this is a kludge - there should be settings specific to ftpd, as there are in vsftpd and most other FTP servers - you shouldn't have to adjust system-wide parameters to control the behavior of a single daemon.

          – Velo Traveler
          Feb 10 at 16:18





          You're absolutely right! Before I composed my first cut of the answer, I had followed that code enough to see that it was a compile-time option, but I didn't think you wanted to recompile FreeBSD for this project. However, I missed that it was keyed to the command-line option which then referenced the tuneable system settings. Really, this is a kludge - there should be settings specific to ftpd, as there are in vsftpd and most other FTP servers - you shouldn't have to adjust system-wide parameters to control the behavior of a single daemon.

          – Velo Traveler
          Feb 10 at 16:18













          Considering that it is a simple Pi with just one real daemon I think I might go for changing the values of net.inet.ip.portrange.hifirst and net.inet.ip.portrange.hilast using sysctrl. I believe then nothing needs to be changed to ftpd, however I do agree with you that this is not really the way I assumed things should work. :) I will try this in the upcoming days and if it works I'll accept the answer.

          – Bazzz
          Feb 10 at 16:51





          Considering that it is a simple Pi with just one real daemon I think I might go for changing the values of net.inet.ip.portrange.hifirst and net.inet.ip.portrange.hilast using sysctrl. I believe then nothing needs to be changed to ftpd, however I do agree with you that this is not really the way I assumed things should work. :) I will try this in the upcoming days and if it works I'll accept the answer.

          – Bazzz
          Feb 10 at 16:51


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1403910%2fhow-to-set-the-passive-port-range-of-ftpd%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          How to make a Squid Proxy server?

          Is this a new Fibonacci Identity?

          19世紀