On Thu, Aug 21, 2003 at 08:39:05PM +0200, Ahton?n Kar?sek wrote: > PassivePorts 2000 2200 > > But ProFTP seem not to read this :) It's not possible to build firewall without this > feature :( > Is there anybody knows, where the problem can be?
Is the firewall in question a Linux iptables one, or something proprietary? If it's iptables, then you shouldn't need to do any of this, since you can make use of statefulness in netfilter.. Load the ip_conntrack_ftp module if needed, and allow allowing port 21 TCP to that machine, and ensure that packets in the FORWARD chain (assumes the firewall is a seperate machine, as it should be) are accepting ESTABLISHED and RELATED connections :) Something like $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT (the syntax might be a little different, I can't check docs/google from here..) Then you won't need to open any ranges at all, and can live safe in the knowledge iptables is keeping you secure :) Cheers, Gavin. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
