[BlueOnyx:15926] Re: sFTP & firewall
Michael Stauber
mstauber at blueonyx.it
Tue Sep 9 18:06:18 -05 2014
Hi Maurice,
> Just wondering: how do you provide access to sFTP in your firewall? Unlike
> regular FTP, there is no way to automatically open and close the right
> ports that are used by the data connection. Do you just open a range of
> ports for sFTP?
There are differences between FTPs, sFTP and SCP. Let us forget about
SCP, as that requires shell access to be enabled and runs over SSH.
With FTP (secure or not) you've also got active and passive FTP, which
requires a random high port to be open for each connection.
In BlueOnyx with the (optional) APF firewall we handle this twofold:
1.) In /etc/proftpd.conf we have this in the <GLOBAL> section:
# Restrict the range of ports from which the server will
# select when sent the
# PASV command from a client. Use IANA-registered
# ephemeral port range of
# 49152-65534
PassivePorts 49152 65534
That directs ProFTPd to listen on the ports 49152-65534, too.
2.) The (optional) APF firewall would usually close all high-ports,
blocking off access to these ephemeral ports. To prevent that, the
config file /etc/apf/conf.apf has these ingress ports listed as open:
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,23,25,53,80,81,110,143,161,199,443,444,465,587,783,873,993,995,5100,8888,49152_65534"
As you can see, that line ends with "49152_65534", which opens the
matching port range.
You can certainly choose different port ranges and can choose to open
fewer ports. In that case you'd need to edit both /etc/proftpd.conf and
/etc/apf/conf.apf
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list