[lug] FTP services - disarming daemon

Jarosko, Bill Bill_Jarosko at adc.com
Wed Aug 9 08:50:33 MDT 2000


I would really like to have ftp for my own
use but looks like that's not even possible. DSL it is once I move next
month.

recieve requests from 192.168s? I can't log on now. And I can't remember
what I changed, obviously something but whatever it was didn't take affect
immediately.



How about instead of shutting down the service you just block outside traffic.
ipchains should work well enough for this.

I assume you have no ipchains rules as of yet, i.e. you haven't set up a firewall yet.

Exter = whatever interface your cable comes in on, i.e. eth0, ppp0, whatever.
hostip = your machines ip 

ipchains -A input -i $Exter -p tcp -s 0.0.0.0/0 1024:65535 -d $hostip 21 -j DENY 

Quick explanation: 

ipchains -A input   (append the input rule)
-i               (tells ipchains to watch this interface)
-p tcp           (tells ipchains which protocol)
-s               (this is the source switch, in this case we want all IP's so 0.0.0.0/0)
1024:65535       (the port numbers of remote machines used to connect to ftp)
-d               (destination switch, your ip addr and ftp port number(21))
-j               (policy, what should it do, in this case deny, it doesn't tell TCI(AT&T) it even exists)

that should do it, but if not, send another email.
And if you'd like to block telnet just change the port number from 21 to 23.




More information about the LUG mailing list