> On Tue, 12 Mar 2002 21:20:05 +0100 > "Joffer" <[EMAIL PROTECTED]> wrote: > > > for somehow this msg just wouldn't add '>' to the text so I'll be answering > > here instead, so I won't confuse myself or you ppl. > > > > I considder Active FTP a security threat, since it involves opening tcp port > > 20 inbound on the firewall, since the ftp-server is initiating the > > connection for the ftp-data. > > That's OK if you have a small network ( or you have a lot of political > control over a large one!) Me... I must support active ftp. > > That's why I moved to iptables, for RELATED.
yes, of course, but did you read the document? It should help you understand and open the right ports to allow passive (which was what you had problems with??) /Christopher > > > > > > > I recommend you read this document about Active FTP Vs Passive FTP, and use > > Passive FTP. > > http://www.slacksite.com/other/ftp.html > > > > If you trail that document opening (and closing everything else) you should > > fix it just fine. > > > > /Christopher Thorjussen > > > > > > ----- Original Message ----- > > From: "Matt Cooling" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Tuesday, March 12, 2002 5:23 PM > > Subject: FTP server firewall rules > > > > > > I'm running a webserver, which I have secured with iptables as follows: > > > > Chain INPUT (policy DROP) > > target prot opt source destination > > ACCEPT tcp -- <internal gateway> anywhere tcp dpt:ssh > > ACCEPT tcp -- anywhere anywhere tcp dpt:http > > ACCEPT udp -- <dns server> anywhere udp > > spt:domain > > > > I now want to give FTP access to specific IP addresses for uploading > > content. I started using the following rules: > > > > iptables -A INPUT -p tcp -s <ftp client> --dport ftp -j ACCEPT > > iptables -A INPUT -p tcp -s <ftp client> --dport ftp-data -j ACCEPT > > > > which allows ACTIVE FTP to work properly. However, I also want to allow > > PASSIVE FTP, which I assumed would require the following rule: > > > > iptables -A INPUT -p tcp -s <ftp client> -m state --state RELATED -j > > ACCEPT > > > > Unfortunately this doesn't seem to work. I've checked that the module is > > loaded: > > > > [root@testbox root]# cat /proc/modules > > ip_conntrack_ftp 4096 0 (unused) > > ipt_state 1152 1 (autoclean) > > ip_conntrack 17068 2 (autoclean) [ip_conntrack_ftp > > ipt_state] > > ... > > iptable_filter 2272 0 (autoclean) (unused) > > ip_tables 11424 2 [ipt_state iptable_filter] > > ... > > > > I've reviewed some articles on the Intenet; however, these are generally > > oriented to protecting a box. Have I missed something basic, or should > > this work? > > > > Thanks in advance, > > > > Matt > > > > > > > > > > > > > > >
