Fred,
>From reading into what was said below: When using routing rules - masquerading is not
needed... correct?
*************************************************************************
Signed,
Inquisitive
P.'S. Detailed Documentation(s) and Sample(s) are more than welcome!
_____________________________Reply_Separator_____________________________
Fred Viles wrote:
> On 28 Jan 99, at 22:28, Tim Fletcher wrote about
> "Re: [masq] FTP and firewalls":
>
> | > But this chnage won't help a masqueraded client, because there is no
> | > way to get the packet forwarded to the internal IP. So you seem to
> | > be talking about running the FTP client on the masquerading box
> | > itself? If so, masqerading doesn't enter into it.
> |
> | Oh it does....
> |
> | I run on the ipmasqed firewall:
>
> The firewall machine is not masqed, it is the masqER.
>
> | /sbin/ipchains -D input -j ACCEPT -p tcp -y -s 0.0.0.0/0 20 -d myip 60000:65535
> | and then I can ls a dir on sunsite
>
> Running ftp client on some machine whose IP is *not* "myip"?
> Assuming so...
>
> | I then run:
> | /sbin/ipchains -I input -j ACCEPT -p tcp -y -s 0.0.0.0/0 20 -d myip 60000:65535
> | and I can't ls a dir on sunsite
> |...
>
> Well, of course for masquerading to work at all, the firewall must
> accept incoming packets for (at least) the range of ports used by
> masqerading. If replies to masqueraded outgoing packets are not
> accepted, they can't be demasqueraded/forwarded.
>
> Since merely adding this accept rule allows ftp PORT commands to
> work, you must be running the ip_masq_ftp module. But the fact that
> you *need* to add it is surprising. I would have thought some other
> less specific input rule would have accepted these packets.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
