On Fri, Jun 17, 2005 at 10:53:26AM -0600, Bryan Sant wrote: > On 6/16/05, Charles Curley <[EMAIL PROTECTED]> wrote: > > If I use system-config-securitylevel to set up a minimum firewall, > > allowing only SSH, FTP and DNS, DNS works fine. ncftp simply falls > > back to port instead of passive mode, and continues to work. Yum fails > > as follows: > > Charles, I have your solution. > > > -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > Good, you're filtering on the RELATED state. > > Just modprobe ip_conntrack_ftp as root and you should be in ship shape. > > That kernel module will notice when an FTP PORT request is received > and realize that the new data port is *related* to your FTP connection > -- thus ACCEPT. > > This will only work for FTP sessions initiated from this server. If > you're NATing other hosts behind this, then you'll need to look into > the ip_nat_ftp.ko module.
Bingo. ip_conntrack_ftp != ip_conntrack. Doh. There's none for nfs (no surprise) but one for Amanda. And others. locate ip_conntrack_ | less for more than you want to know. Thanks. -- Charles Curley /"\ ASCII Ribbon Campaign Looking for fine software \ / Respect for open standards and/or writing? X No HTML/RTF in email http://www.charlescurley.com / \ No M$ Word docs in email Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB
pgpTLs9FVs9c5.pgp
Description: PGP signature
.===================================. | This has been a P.L.U.G. mailing. | | Don't Fear the Penguin. | | IRC: #utah at irc.freenode.net | `==================================='
