On Sat, 24 Nov 2001 03:28, Bernd Eckenfels wrote: > On Sat, Nov 24, 2001 at 11:44:48AM +1100, Iain wrote: > > $IPCHAINS -A input -j ACCEPT -i $i -d $IPOFIF/32 -p tcp ! --syn > > > > Now this works fine for masquerading except for outgoing FTP. Passive FTP > > works fine but normal FTP doesn't. > > > > Now I thought that this is what the ip_masq_ftp modules is for. And this > > module works if I'm not blocking all incoming SYN packets. > > You need to allow the Masquerade Port Range to open incomming connections. > Actually you can specify a port range for it. This is because the Input > chain is consulted before the established check can apply. This is better > solved in ipchains.
How do you specify a port range for it? > > Anyway, I do not recommend to allow active FTP inside anyway. why not? > > > So I guess my question is, does ip_masq_ftp use a discrete range of ports > > for FTP connections or does it use everything between 1024-65535? > > I dont have the 2.2 code here, but in 2.4 it is 61000 - 65095 (hardwired in > the module). > thanks. > Greetings > Bernd -- public key available at http://www.minihub.org/~iain/iain.asc
