Re: pf, ALG

[Gaby Vanhegan <gaby_(_at_)_vanhegan_(_dot_)_net>]

Rod.. Whitworth wrote:

> On Thu, 12 Aug 2004 13:15:06 +0100, Gaby Vanhegan wrote:
>  
>
> > This seems like more work than my current setup, which runs proftpd 
> >    
> You don't read the security lists then? I used to do stuff with that
> and even wrote a paper which they used (and somebody else plagiarised)
> but they were so security careless that they printed my email address
> on the website where it was reproduced.....
>
> If I <HAD> to run an ftpd and needed extra features I think it would be
> PureFTPd but I have persuaded the web designerss to consider the
> relative risks vs inconveniences and they, being reasonable and hating
> the idea of "piss on the wall " vandalism of their work, now use scp.
>  
My apologies, we are in fact running pure-ftpd, not proftpd.  We opted 
for pure over pro because of the security reputation of pro, and the 
fact that pure allowed us to specify what range of ports PASV 
connections were initiated on.

Ideally, I'd run the stock, but there are some really nice features in 
pure.  From my rc.conf:

# Start the pure-ftpd server
# Options:
#   -A chroot users into their home folder
#   -E Disallow anonymous logins
#   -k Only allow uploads if the partition is <95% full
#   -p Use only ports 57000 to 57999 for PASV data connections
#   -u Only allow UID's of over 500 to login
#   -Z Prevent stupid chmod commands from causing problems
#   -B Detach and run in the background, as a daemon
#   -f Log to the ftp syslog facility
/usr/local/sbin/pure-ftpd -A -E -k 95% -p 57000:57999 -u 500 -Z -B -f ftp

:)

--
Ha! Ha! Ha!  Loins...
- Phil Ken Sebben

gaby_(_at_)_vanhegan_(_dot_)_net
http://weblog.vanhegan.net