Seattle Firewall Version 3.2

Running an FTP server on the firewall system or on a masqueraded system


Running wu-ftpd on a system that is also running Seattle Firewall requires that you place the following entries in /etc/seawall/servers:

PROTOCOL PORT(s) CLIENT(s) SERVER PORT
tcp 1024:5999 0.0.0.0/0    
tcp 6010: 0.0.0.0/0    
tcp ftp 0.0.0.0/0    

You will also need the following in /etc/seawall/apps:

PROTOCOL SOURCE PORT(s) SOURCE ADDR(s) DEST PORT
tcp 1024: 0.0.0.0/0 ftp-data

Two additional notes:

  1. If you don't run X on the system, you can replace the first two entries in /etc/seawall/servers with a single entry that specifies ports "1024:".
  2. Either way, supporting passive mode FTP clients significantly weakens your firewall. Wu-ftpd does not restrict itself to the local dynamic ports for passive mode connections, thus requiring that the system accept TCP connections on virtually any non-priv port.

Running an FTP server on a masqueraded system (192.168.1.3 in this example) requires the following entries in /etc/seawall/servers:

PROTOCOL PORT(s) CLIENT(s) SERVER PORT
tcp 61000:65095 0.0.0.0/0    
tcp ftp 0.0.0.0/0 192.168.1.3  

The first entry is unnecessary if you have configured 'strong="No"'

Notice that this doesn't involve nearly as much risk as running the server on the firewall system itself.


Last updated 7/8/2000 - Tom Eastep