# Need advice with IPFW/Pure-FTP



## Sigfrido (Sep 25, 2011)

Hi!

I've got a problem using Pure-FTP (unfortunately I need it instead scp) with IPFW on FreeBSD 8.2: I'm not sure of my configuration, services are working regularly but I've got some concerns about security risks.

Type of connection: *passive*

I've settled the passive port range inside /usr/local/etc/pure-ftpd.conf:


```
# Port range for passive connections replies. - for firewalling.

PassivePortRange          49160 49170
```

Then I've enabled a specific ruleset for FTP connections in my ipfw.rules:


```
# FTP = TCP/21
$cmd 00070 allow tcp from any to me 21 in keep-state
$cmd 00075 allow tcp from any to me 49160-49170 in keep-state
$cmd 00080 allow tcp from me 21 to any out keep-state
$cmd 00085 allow tcp from me 49160-49170 to any out keep-state
```

Does it sound fine?

Are there some major issues with these rules according to my premise (= I can't replace Pure-FTP with scp)?

Any suggestion?

Thanks in advance


----------



## plamaiziere (Sep 25, 2011)

Sigfrido said:
			
		

> Hi!
> 
> 
> ```
> ...



Yes. But you need to open the "portrange" only in incoming.
IMO (not sure) you should use a range into the "registered port range" (1024..49151), not the dynamic one.

Regards.


----------



## Sigfrido (Sep 25, 2011)

plamaiziere said:
			
		

> Yes. But you need to open the "portrange" only in incoming.
> IMO (not sure) you should use a range into the "registered port range" (1024..49151), not the dynamic one.
> 
> Regards.



so


```
# FTP = TCP/21
$cmd 00070 allow tcp from any to me 21 in keep-state
$cmd 00075 allow tcp from any to me 49160-49170 in keep-state
$cmd 00080 allow tcp from me 21 to any out keep-state
```

for portrange, any tech reference available? I've found only one recommendation to use non-privileged range (>= to 1024).

Any hint about the portrange width (to handle many simultaneous connections)?

Thanks!


----------

