On Fri, Jul 27, 2001 at 10:39:38AM +1000, Jonathan Benson wrote:
> Jack Bowling wrote:
>
> > Try the following lines instead of the above:
> >
> > #FTP Data fix
> > $IPT -A INPUT -p tcp --sport 20 --dport 1023:65535 ! --syn -m state --state
> > RELATED -j ACCEPT
> > $IPT -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
> > $IPT -A INPUT -p udp -s 0/0 -d $NET --dport 1023:65535 -j ACCEPT
>
> This would be a BAD idea. It's letting ANY udp packet destined for a high port
> through by the looks of it.
>
> I'd prefer to have things working the way they should then open up holes in my
> firewall.
Have you tried both:
ip_conntrack_ftp
ip_nat_ftp
This works fine for me. Connection tracking handles it fine without
any special firewall rules. Sorry if this has come up, but I missed
first part of thread. I butted my head over this for a while.
--
Hal B
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Spamtrap: [EMAIL PROTECTED] and [EMAIL PROTECTED]
--
_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
