On Tue, 4 Apr 2000, Craig White wrote:

> Besides the xfs - has anyone ever experienced attacks at the higher numbered
> ports?

The X-ports on 6000-6009 are fun targets :). Saw 6010 used for something
as well, but don't know of any attempts against it.

> The reason that I am asking is if block the ports 1024:65536 using ipchains
> 
> something like...
> ipchains -A input -j ACCEPT ! -y -p tcp -s 0/0 -d $extIP 1024:65536

You could just drop the last port off as ipchains assume 65535 and
apparently there isn't a port 65536 :). I like that in the hope that the
blank represents maximal ports as opposed to being hard-coded to 65535.

> which only allows return packets in the high ranges and then people using
> Netscape for a PASV ftp connection are rejected by a rule further down that
> specific rejects that which is not specifically allowed.

Not really certain where PASV ftp and all comes into this. If you're
wanting to allow PASV ftp, then allow return packets to tcp port 21 and
include the ip_masq_ftp module in your kernel. Allowing incoming
connections on port 20 in conjunction with masquerading should enable
active ftp as well. This should get things like SuSE's net update
functionality of yast working.

> Can I force them to use a specific port via html?
> 
> i.e. <a href="ftp.somewhere.com:10000></a> ?

If you don't mind munging all the pages they might look at via your www
proxy...

> Is there a decent or better way to handle this?

It's better to just allow it or to use a proxy. You can also proxy active
ftp, I believe.

ciao,

der.hans
-- 
# +++++++++++=================================+++++++++++ #
#  der.hans@LuftHans.com                  www.excelco.com #
#            http://home.pages.de/~lufthans/              #
#  A t-shirt a day keeps the noose (tie) away. - der.hans #
# ===========+++++++++++++++++++++++++++++++++=========== #