for somehow this msg just wouldn't add '>' to the text so I'll be answering here instead, so I won't confuse myself or you ppl.
I considder Active FTP a security threat, since it involves opening tcp port 20 inbound on the firewall, since the ftp-server is initiating the connection for the ftp-data. I recommend you read this document about Active FTP Vs Passive FTP, and use Passive FTP. http://www.slacksite.com/other/ftp.html If you trail that document opening (and closing everything else) you should fix it just fine. /Christopher Thorjussen ----- Original Message ----- From: "Matt Cooling" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, March 12, 2002 5:23 PM Subject: FTP server firewall rules I'm running a webserver, which I have secured with iptables as follows: Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- <internal gateway> anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT udp -- <dns server> anywhere udp spt:domain I now want to give FTP access to specific IP addresses for uploading content. I started using the following rules: iptables -A INPUT -p tcp -s <ftp client> --dport ftp -j ACCEPT iptables -A INPUT -p tcp -s <ftp client> --dport ftp-data -j ACCEPT which allows ACTIVE FTP to work properly. However, I also want to allow PASSIVE FTP, which I assumed would require the following rule: iptables -A INPUT -p tcp -s <ftp client> -m state --state RELATED -j ACCEPT Unfortunately this doesn't seem to work. I've checked that the module is loaded: [root@testbox root]# cat /proc/modules ip_conntrack_ftp 4096 0 (unused) ipt_state 1152 1 (autoclean) ip_conntrack 17068 2 (autoclean) [ip_conntrack_ftp ipt_state] ... iptable_filter 2272 0 (autoclean) (unused) ip_tables 11424 2 [ipt_state iptable_filter] ... I've reviewed some articles on the Intenet; however, these are generally oriented to protecting a box. Have I missed something basic, or should this work? Thanks in advance, Matt
