Thank you very much :o) Only one more question: Is posible to use this approach while firewall is on the same machine as FTP server? I own only one computer :o)
Gavin Hamill <[EMAIL PROTECTED]> wrote: > On Thu, Aug 21, 2003 at 08:39:05PM +0200, Ahton?n Kar?sek wrote: > > PassivePorts 2000 2200 > > > > But ProFTP seem not to read this :) It's not possible to build firewall without > > this feature :( > > Is there anybody knows, where the problem can be? > > Is the firewall in question a Linux iptables one, or something > proprietary? > > If it's iptables, then you shouldn't need to do any of this, since > you can make use of statefulness in netfilter.. > > Load the ip_conntrack_ftp module if needed, and allow allowing port 21 > TCP to that machine, and ensure that packets in the FORWARD chain > (assumes the firewall is a seperate machine, as it should be) are > accepting ESTABLISHED and RELATED connections :) > > Something like > > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > (the syntax might be a little different, I can't check docs/google from > here..) > > Then you won't need to open any ranges at all, and can live safe in the > knowledge iptables is keeping you secure :) > > Cheers, > Gavin. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] ________________________________________________________________________________ VHS a DVD Minority Report je v prodeji. Vyhrajte víkend s autem Lexus, mobilní telefony Nokia, DVD Minority Report a další ceny na http://www.atlas.cz/clickAD.asp?ad=35121 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
