/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ I use a firewall script (Kernel 2.2.x) with the following first line: ipchains --policy input DENY # = ultimative firewall I load the module ip_masq_ftp to let packages belonging to ACTIVE FTP (using FTP PORT command) through the firewall. Because I use input policy = DENY it is necessary to have a rule to accept packages coming from the FTP server as replies to a FTP PORT command. I do this by adding the rule ipchains --append input --jump ACCEPT --protocol tcp --source-port ftp-data --destination ${MYIP} --destination-port 51000: --interface ${IF_EXTERN}# Therefore I accept all incoming traffic with source-port 'ftp-data' and destination on my machine and here only with destination-ports >= 51000 (choosen by kernel in case of masquerading). My question(s): Is there a better solution for the second rule? I.e, is the kernel able to automatically accept packages coming from a ip_masq_ftp-'translated' FTP PORT command (active FTP)? Thomas Nisbach _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
