The reason I haven't done it before is I took the easy way out.� I had the
internal clients set their FTP to "passive" mode which uses the same
connection (TCP port 21) for both control and data.� That way I didn't have
to load the FTP module on my firewall.
[]� only to be correct: the above stated about passive mode is NOT TRUE.
[]� IMHO in a MASQ'ed setup of ipchains 'normal' and 'passive' mode ftp
should NOT work without loading the module.
I don't think so, Joerg. Normal mode FTP will definitely break, but passive mode should work, IMHO. AFAIK, the server sends the client informstion about the port which it should connect to. The client subsequently initiates a connection from one of its 'unprivileged' ports to the port specified by the server. As this is an outbound connection, it should be masqueraded fine.
Gruesse
Tobias
