At 21:34 28/11/00 +0000, Andreas Horvath wrote:
>hello ppls
>
>our fw is currently blocking all incoming syn's on the external nic.
>ftp data conections are filtered out, and we can't use pasv
>cause several hosts does'nt support passive mode transfers.
do you mean you have software you can't upgrade?
any respectable ftp clients should support ftp.
for MSIE, upgrade to 5.
>should i have to install a ftp proxy application or is there any other
>way to open up the fw to accept only ftp data connections?
it's not a proxy question. you're having connections back to your
ftp client rejected because they go to ports that are dynamically
allocated (by your client's kernel, but your filter is unaware of...)
you could set up a proxy and accept connections to hig ports on your fw, but
there are security risks: you need to make sure no uncontrolled socket is
listening on such ports.
you really need a stateful filter like ipfilter (dunno if iptables is now ok).
>we're using linux kernel 2.2.14 w/ ipchains and masquerading
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
