an exerpt from http://metalab.unc.edu/pub/Linux/docs/HOWTO/IPCHAINS-HOWTO
FTP has two modes; the traditional one is called active mode and the more
recent one is called passive mode. Web browsers usually default to passive
mode,but command-line FTP programs usually default to active mode.
In active mode, when the remote end wants to send a file (or even the
results of an ls or dir command) it tries to open a TCP connection to the
local machine. This means you can't filter out these TCP connections
without breaking active FTP.
If you have the option of using passive mode, then fine; passive mode
makes data connections from client to server, even for incoming data.
Otherwise, it is recommended that you only allow TCP connections to ports
above 1024 and not between 6000 and 6010 (6000 is used for X-
Windows).
>From: "Moonshi Mohsenruddin" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>, "Martin Krzywinski" <[EMAIL PROTECTED]>
>CC: "Vanc Linux Group" <[EMAIL PROTECTED]>,
><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>,
><[EMAIL PROTECTED]>
>Subject: RE: IP Chains and port forwarding
>Date: Fri, 27 Aug 1999 12:12:16 +0800
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Insert the ip_masq_ftp module from your firewall script.
>
>"insmod ip_masq_ftp"
>
>- --
>Moonshi Mohsenruddin [EMAIL PROTECTED]
>Singapore icq:2595480 http://www.linux.com.sg
>
>- -----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]On Behalf Of
>[EMAIL PROTECTED]
>Sent: Thursday, August 26, 1999 1:20 PM
>To: Martin Krzywinski
>Cc: Vanc Linux Group; [EMAIL PROTECTED];
>[EMAIL PROTECTED]; [EMAIL PROTECTED]
>Subject: Re: IP Chains and port forwarding
>
>
>My first guess is you are encounting problems with active ftp access,
>passive ftp access has less problems with the basic firewall setup.
>Try
>ftping your internal server with netscape for example. The Netscape
>help
>includes the URL format for accessing a ftp server with user and
>password.
>Hopes this helps.
>
>On Wed, 25 Aug 1999, Martin Krzywinski wrote:
>
> >
> > I'm starting to fiddle with ipchains. I'm masquarading
> >
> > router --- [x.x.199.193]FIREWALL[10.1.1.1] --- private network
> >
> > A few things aren't working. For example, I can't ftp out of the
>private
> > clients. The connection is made but the server complains about port
> > numbers. I guess there's something screwy in the masquerading setup.
> > Telnet and browsing work fine. Http downloads work fine.
> >
> > I've got
> >
> > ipchains -A forward -j MASQ
> >
> > added, but just that for now.
> >
> > In addition, I'd like to have internal web/ftp/ssh servers. How can
>I
> > forward requests to x.x.199.194 on a given port, say 23, to go to
> > 10.1.1.Y:23?
> >
> > Thanks for any info,
> >
> > Martin
> >
> > --------------------------------------------
> > And I keep hearing from the cellar bin
> > The rumbling sound
> > Of load on load of apples coming in.
> > For I have had too much
> > Of apple-picking: I am overtired
> > Of the great harvest I myself desired.
> > Robert Frost (After Apple-Picking)
> > --------------------------------- 575/1424 -
> >
> >
> >
> >
>
>- -
>To unsubscribe from this list: send the line "unsubscribe linux-net"
>in
>the body of a message to [EMAIL PROTECTED]
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 6.0.2i
>
>iQA/AwUBN8WfoGefe0TVuy5lEQLrSwCdEMZIEs5S2ux+PBb8NkPAa8ALdHkAn3Cr
>5hrP4MOB4GNkuLs6q7tviTbP
>=RAxs
>-----END PGP SIGNATURE-----
>
>
_______________________________________________________________
Get Free Email and Do More On The Web. Visit http://www.msn.com
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
