/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ Nisbach, Thomas wrote: > I use a firewall script (Kernel 2.2.x) with the following first line: > > ipchains --policy input DENY # = ultimative firewall > > I load the module ip_masq_ftp to let packages belonging to ACTIVE FTP (using > FTP PORT command) > through the firewall. Because I use input policy = DENY it is necessary to > have a rule to accept > packages coming from the FTP server as replies to a FTP PORT command. I do > this by adding the rule > > ipchains --append input --jump ACCEPT --protocol tcp --source-port ftp-data > --destination ${MYIP} --destination-port 51000: --interface ${IF_EXTERN}# > > Therefore I accept all incoming traffic with source-port 'ftp-data' and > destination on my machine and > here only with destination-ports >= 51000 (choosen by kernel in case of > masquerading). > > My question(s): > > Is there a better solution for the second rule? I.e, is the kernel able to > automatically accept packages > coming from a ip_masq_ftp-'translated' FTP PORT command (active FTP)? > > Thomas Nisbach the now stable 2.4 kernel has stateful filtering, connection tracking and an ftp connection tracker which can do exactly what you want. raf _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
