Brad Bendily wrote:
> Or just write out the line in full in your rules file. I've never been > very impressed with one-line macros, they don't really accomplish > anything that /etc/services doesn't already do.I never use them either. But I see a lot of this sort of thing from people who use /etc/services without having any other clues: ACCEPT net fw tcp 21 ACCEPT net fw udp 21 Of course these same users are also likely to include: ACCEPT net fw tcp 20 ACCEPT net fw udp 20 Ignorance of how things work is rampant...trying to avoid ignorance here, are you saying that the above rules are bad?
Three of them are. FTP uses TCP exclusively, so the two UDP rules are senseless. And FTP uses port 20 as the SOURCE port for new active-mode connections, so listing it in the DEST PORT(S) column is also silly.
There are reasons to list it in the SOURCE PORT(S) column, even when using the FTP helpers; see http://www.shorewall.net/FTP.html
Is this: ACCEPT serv ext tcp ftp Different from this: ACCEPT serv ext tcp 21
They are the same on any well-behaved system. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
