Hi,

This is my first post.

I placed these rules in /etc/npf.conf:

# ftp
pass in final proto tcp to any port ftp
pass in final proto tcp to any port "ftp-data"
# Passive FTP
pass stateful in final proto tcp to $ext_addrs port 49151-65535

ftp access works fine, but I'm wondering whether the passive rule is too permissive.

Any comments?
Thanks

  • JuvenalUrbino replied to this.
  • Jay likes this.

  • lib7 ftp access works fine, but I'm wondering whether the passive rule is too permissive.

    Possibly, NetBSD's ftpd allows defining a restricted portrange to listen onto for ftp-data; see ftpd.conf(5). On my /etc/ftpd.conf I have:

    # Set the range of port number which will be used for passive data transfer
portrange   all     65525   65535

    And subsequently on /etc/npf.conf

    # Allow FTP PSV on safer ports
pass stateful in final proto tcp to $if port 65525-65535

      lib7 ftp access works fine, but I'm wondering whether the passive rule is too permissive.

      Possibly, NetBSD's ftpd allows defining a restricted portrange to listen onto for ftp-data; see ftpd.conf(5). On my /etc/ftpd.conf I have:

      # Set the range of port number which will be used for passive data transfer
portrange   all     65525   65535

      And subsequently on /etc/npf.conf

      # Allow FTP PSV on safer ports
pass stateful in final proto tcp to $if port 65525-65535