/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */
On Mon, 01 Sep 2003 10:47:12 -0700, you wrote: > > >I am wondering if it is possible to add support for non standard ftp > >ports on the fly in kernel 2.4.21. > >I don't think this is possible with the current IPTABLES code. That's too bad, I remember something like this supposedly being possible in 2.2.x kernels, but never got around to trying it, as I moved to 2.4. > >The only way for me to connect to them is to change my > >firewall to rewrite active requests. As I already have transfers > >active, the masq modules are in use, and I therefore cannot unload > >them in order to reload them. > > >You can force the unload the of the FTP MASQ module but you'll break >all of the existing connections (which sucks). Curious, why do you >have so many people using non-standard ports? How? I didn't know you could do this. I searched around a little in google to no avail. Is the only side effect of this breaking existing ftp connections mid stream? The module wouldn't have to be unloaded very long, especially if its all done in a script. Most ftp clients have auto reconnect after a failed transfer, and should successfully resume. My own ftp server runs behind my firewall on port 21. I've had incoming pasv requests handled properly since 2.2.14 via a modified ftp masq module. I'm glad that 2.4 does this automatically. It's ftp connections I make outgoing from my lan, through the firewall to the outside world that are unfortunately more likely to be not on port 21. Don't ask me why, most people with their windows ftp servers don't use port 21. Being that it's not ftp server behind masq that needs different ports, and only outgoing ftp connections, does one still need to reload both ftp modules? I have always specified all ports to both modules in the past, although I'm a little fuzzy on exactly what the different ones do. > >Ideally it would be nice if I didn't have to unload and load the > >modules at all, and therefore not break all the existing ftp > >connections. > > > >Is this possible / plausible? > >Most commercial firewalls do that today. Looking at the >/linux/net/ipv4/netfilter/ip_conntrack_ftp.c source code, I recommend to email >the Netfilter people and see if they would be willing to re-write this module >code. The tricky part would be how to signal the module that it should re-read >the /etc/rc.modules file for more non-standard ports w/o deleting the current >connections. While your at it, ask them for a mechanism to delete a given >and/or all the MASQ connections in the state table. :-) _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
